ICO: Travelex hasn't reported a data breach

clock • 3 min read

'The company has not reported a data breach,' ICO tells Computing, but adds that they may be required to 'explain why it wasn't reported'

Travelex has not reported a data breach to the Information Commissioner's Office (ICO) despite being targeted in a ransomware attack that has kept its systems down since 31st December.

The decision not to notify the ICO within 72 hours of discovery comes despite the ransomware, called Sodinokibi or REvil, being linked with attackers who typically exfiltrate information before encrypting corporate data and demanding a ransom. They then threaten to release the data if their ransom is not paid.

If an organisation decides that a breach doesn't need to be reported they should... be able to explain why it wasn't reported

In a statement to Computing, an ICO spokesperson revealed that it had been in contact with Travelex and was advising it on "potential personal data issues", but added that "the company has not reported a data breach".

The statement continued: "If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported, if necessary.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.

"All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO."

While Travelex failed to notify the ICO within 72 hours of discovery, it nevertheless managed to call-in the Metropolitan Police in less than three days.

Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach

The company maintained in its most recent statement that "there is still no evidence to date that any data has been exfiltrated".

The decision not to notify the ICO on 31st December, when the currency exchange specialist claimed to have first discovered what it maintained for more than a week was a virus, will be factored-in to the size of the fine that Travelex will face should any personal data be found to have been compromised.

The company took down its systems, website and mobile app following the outbreak on New Year's Eve, forcing staff to revert to manual procedures. Travellers across the world have been unable to top-up Travelex currency cards or obtain foreign currency electronically, while banks that rely on Travelex to support their foreign currency transactions have been unable to serve customers.

The size of potential fine that Travelex could face is substantial.

British Airways is facing a fine of £183 million, amounting to 1.5 per cent of global turnover over, for the 2018 Magecart attack on its payment pages.

Travelex could expect a stiffer fine to be proposed by the ICO - up to the maximum of four per cent of turnover - should any personal data have been compromised. It will also face similar enforcement action under data protection laws in jurisdictions across the world.

All Computing's coverage of the Travelex ransomware outbreak

You may also like
John Edwards. Source: ICO

Legislation and Regulation

'The same rules apply as they always have done'

clock 07 December 2023 • 2 min read
Meta faces $596 million Spanish lawsuit for GDPR violation

Law

The giant also faces further reputational damage in the US, as an academic claims that Meta used its financial heft to block her constitutional right to free speech

clock 05 December 2023 • 2 min read
Microsoft warns of new ransomware campaign by the Twisted Spider group

Threats and Risks

Uses malvertising to spread Danbot Trojan, then Cactus ransomware

clock 01 December 2023 • 2 min read
Most read
Upcoming events

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Recognising champions: Enter the Security Excellence Awards 2024 now

Recognising champions: Enter the Security Excellence Awards 2024 now

There are only a few short weeks left to the entry deadline

clock 11 December 2023 • 2 min read
Deciphering AI’s impact on cybersecurity: Friend or foe?

Deciphering AI's impact on cybersecurity: Friend or foe?

Cybersecurity stands to gain numerous benefits from AI, but so do bad actors

clock 11 December 2023 • 4 min read
Downtime for defenders means party time for attackers

Downtime for defenders means party time for attackers

Adversaries do not keep to a typical working schedule

clock 30 November 2023 • 1 min read