ICO: Travelex hasn't reported a data breach

clock • 3 min read

'The company has not reported a data breach,' ICO tells Computing, but adds that they may be required to 'explain why it wasn't reported'

Travelex has not reported a data breach to the Information Commissioner's Office (ICO) despite being targeted in a ransomware attack that has kept its systems down since 31st December.

The decision not to notify the ICO within 72 hours of discovery comes despite the ransomware, called Sodinokibi or REvil, being linked with attackers who typically exfiltrate information before encrypting corporate data and demanding a ransom. They then threaten to release the data if their ransom is not paid.

If an organisation decides that a breach doesn't need to be reported they should... be able to explain why it wasn't reported

In a statement to Computing, an ICO spokesperson revealed that it had been in contact with Travelex and was advising it on "potential personal data issues", but added that "the company has not reported a data breach".

The statement continued: "If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported, if necessary.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.

"All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO."

While Travelex failed to notify the ICO within 72 hours of discovery, it nevertheless managed to call-in the Metropolitan Police in less than three days.

Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach

The company maintained in its most recent statement that "there is still no evidence to date that any data has been exfiltrated".

The decision not to notify the ICO on 31st December, when the currency exchange specialist claimed to have first discovered what it maintained for more than a week was a virus, will be factored-in to the size of the fine that Travelex will face should any personal data be found to have been compromised.

The company took down its systems, website and mobile app following the outbreak on New Year's Eve, forcing staff to revert to manual procedures. Travellers across the world have been unable to top-up Travelex currency cards or obtain foreign currency electronically, while banks that rely on Travelex to support their foreign currency transactions have been unable to serve customers.

The size of potential fine that Travelex could face is substantial.

British Airways is facing a fine of £183 million, amounting to 1.5 per cent of global turnover over, for the 2018 Magecart attack on its payment pages.

Travelex could expect a stiffer fine to be proposed by the ICO - up to the maximum of four per cent of turnover - should any personal data have been compromised. It will also face similar enforcement action under data protection laws in jurisdictions across the world.

All Computing's coverage of the Travelex ransomware outbreak

You may also like
FBI obtains 7,000 LockBit decryption keys

Hacking

Offers victims hope of free data decryption

clock 07 June 2024 • 3 min read
Meta's AI plans are against EU law, says Max Schrems

Privacy

'This is clearly the opposite of GDPR compliance'

clock 06 June 2024 • 3 min read
Russian hackers behind London hospitals cyberattack

Hacking

The attack has forced hospitals to postpone or relocate elective surgeries

clock 06 June 2024 • 2 min read

More on Security

Cloud encryption rates are disastrously low, research

Cloud encryption rates are disastrously low, research

Come on in, the door's open

John Leonard
clock 05 June 2024 • 2 min read
Remote working: We're on top of defending WFH, say IT leaders

Remote working: We're on top of defending WFH, say IT leaders

'Security has been moved to devices rather than offices meaning all have the same protections'

John Leonard
clock 31 May 2024 • 3 min read
Asian Tech Roundup: Pressure grows in US-China trade war

Asian Tech Roundup: Pressure grows in US-China trade war

Plus: Google 'accidentally' deletes pension fund's cloud account

Tom Allen
clock 17 May 2024 • 4 min read