Joerg Habermeier - stock.adobe.c

Post Office ditches MoneyGram after cyber attack

The Post Office offered a short extension to enable it to asses the impact of the MoneyGram cyber incident, but the contract has now expired and MoneyGram services are no longer available in Post Office branches

MoneyGram services will no longer be available in thousands of Post Office branches from today, as its contract renewal is cancelled in the wake of a major cyber security incident.

A new contract between the companies was set to begin this week, but following the major cyber security incident at MoneyGram earlier this month, it has been canned as the Post Office seeks more assurances from the US money transfer firm over the service.

The US-based financial services firm turned down an offer of a short contract extension from the Post Office. In a message to its branches on Monday September 30, the Post Office said the contract with MoneyGram would expire at midnight.

Fintech MoneyGram enables users to transfer money, pay bills and trade in cryptocurrencies. It was forced to suspend services in the wake of an ongoing cyber security incident.

The issue began on Friday 20 September, when customers began to report problems, but it was at first identified as a simple network outage affecting connectivity.

The Post Office said MoneyGram services are still unavailable across the thousands of Post Office branches around the UK, while the organisation ensures it understands “the protective measures that MoneyGram have implemented following the incident”.

A new contract was close to being agreed before the cyber incident. The Post Office told subpostmasters: “Post Office and MoneyGram have been in contract negotiations since June of this year and had expected to agree a new contract to roll on from 1 October 2024. The contracting process was in the final stages when, unfortunately, MoneyGram suffered the cyber attack.”

The Post Office said it offered to extend the current contract for a shorter period to enable both organisations “to prioritise the service renewal activity”. The Post Office said this would have also enabled it to understand any longer-term impact of MoneyGram’s cyber incident for its customers, subpostmasters, and partners.

But MoneyGram did not accept the offer and the contract ended. The Post Office apologised for the one day notice to subpostmasters.

The organisation left the door open for a future contract, stating: “We are still committed to finding a way to try to continue our partnership and dialogue continues with MoneyGram. If there is any change, we will be immediately in touch.”

Post Office branched offered three separate services from MoneyGram – MG Send, MG Receive, and MG Cancellations. 

The Post Office said all transactions processed through a Post Office branch before MoneyGram went offline on 20 September have been sent to MoneyGram.

Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said that money transfer services made tempting targets for cyber criminals since they handle large amounts of digital case and hold extremely sensitive data. That MoneyGram appears to have been attacked is therefore not surprising.

“The challenge is balancing security with keeping services running,” said Mittal. “By taking everything offline, MoneyGram clearly put security first, but it also highlights a common struggle in the financial sector – how do you protect sensitive data without shutting down the business? Are companies ready to handle that challenge?”

Read more about recent cyber incidents

  • London’s transport network provider TfL experiences cyber security incident, but reassures customers there is no impact on services.
  • A major cyber attack at NHS services provider Synnovis is disrupting frontline care at hospitals across London.
  • A ransomware attack on the systems of publisher and social enterprise Big Issue Group has been claimed by the Qilin gang.

Read more on Endpoint security