Travelex staff have had to write out paper invoices for customers as the foreign currency firm continues to be without computer systems after hackers took control, demanding a $3m ransom.

Travelex was forced to take down its global websites on 1 January after criminals attacked on its computer system on New Year’s Eve using Sodinokibi ransomware.

The cyber-attack has also shutdown the online currency exchange services offered by Virgin Money, Tesco Bank, First Direct and Sainsbury’s Bank, which are powered by Travelex.

The hackers are threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment-card information – into the public domain unless the company pays up.

As the crisis continued on Wednesday, shares in Travelex’s parent company Finablr, a global payments company listed in London, plunged by 16% to a record low. This was despite an attempt by the United Arab Emirates-based company to allay fears of a major online leak of personal data.

“Travelex has been successful in containing the spread of the ransomware,” the company said. “Travelex has also confirmed that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted, and that there is still no evidence that any data has been exfiltrated.”

Staff have been using pen, paper and ink stamps to issue receipts confirming cash currency transactions for customers.

The chief executive, Tony D’Souza, said: “Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim.”

The London-based firm has a presence in more than 70 countries with at least 1,200 branches and 1,000 ATMs. It processes more than 5,000 currency transactions every hour.

The company is not able to say when it expects to be able to regain control of its computer systems. “Travelex has been able to restore a number of internal systems, which are operating normally,” it said. “The company is working to resume normal operations as quickly as possible.”

The cyber-attack has also triggered criminal investigations led by the UK’s National Crime Agency and the Metropolitan police.

“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data,” D’Souza said. “Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise.”

Finablr’s other six brands – UAE Exchange, Xpress Money, Unimoni, Remit2India, Ditto and Swych – were not affected by the hack.