Travelex has not reported a data breach to the Information Commissioner's Office (ICO) despite being targeted in a ransomware attack that has kept its systems down since 31st December.
The decision not to notify the ICO within 72 hours of discovery comes despite the ransomware, called Sodinokibi or REvil, being linked with attackers who typically exfiltrate information before encrypting corporate data and demanding a ransom. They then threaten to release the data if their ransom is not paid.
If an organisation decides that a breach doesn't need to be reported they should... be able to explain why it wasn't reported
In a statement to Computing, an ICO spokesperson revealed that it had been in contact with Travelex and was advising it on "potential personal data issues", but added that "the company has not reported a data breach".
The statement continued: "If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported, if necessary.
"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.
"All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO."
While Travelex failed to notify the ICO within 72 hours of discovery, it nevertheless managed to call-in the Metropolitan Police in less than three days.
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach
The company maintained in its most recent statement that "there is still no evidence to date that any data has been exfiltrated".
The decision not to notify the ICO on 31st December, when the currency exchange specialist claimed to have first discovered what it maintained for more than a week was a virus, will be factored-in to the size of the fine that Travelex will face should any personal data be found to have been compromised.
The company took down its systems, website and mobile app following the outbreak on New Year's Eve, forcing staff to revert to manual procedures. Travellers across the world have been unable to top-up Travelex currency cards or obtain foreign currency electronically, while banks that rely on Travelex to support their foreign currency transactions have been unable to serve customers.
The size of potential fine that Travelex could face is substantial.
Travelex could expect a stiffer fine to be proposed by the ICO - up to the maximum of four per cent of turnover - should any personal data have been compromised. It will also face similar enforcement action under data protection laws in jurisdictions across the world.
All Computing's coverage of the Travelex ransomware outbreak:
- Travelex refuses to comment on whether it paid ransom to get its data back
- Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack
- Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data
- ICO: Travelex hasn't reported a data breach
- Metropolitan Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack
- Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
- Travelex ignored September warning over 'insecure' VPN server software
- Travelex takes down currency exchange website following New Year's Eve cyber attack
'Open source was seen as a way to deliver a cheap knock-off of a word processor and now it's recognised as the best way to innovate and deliver the best ideas to the market'
Where cloud dreams come unstuck - the common pitfalls experienced during cloud moves, and how to avoid them
HPE technologists on the cost and operational issues surrounding hybrid cloud and bimodal IT
Fine reduced from initial figure of £183 million because of the pandemic, ICO says
Open source software and open APIs have increased the range of options available to IT leaders, but has the problem moved elsewhere?
The alliance wants tech firms to add functionality to their apps for governments to view encrypted messaging; but tech giants argue that any such system could be exploited