'The company has not reported a data breach,' ICO tells Computing, but adds that they may be required to 'explain why it wasn't reported'
Travelex has not reported a data breach to the Information Commissioner's Office (ICO) despite being targeted in a ransomware attack that has kept its systems down since 31st December.
The decision not to notify the ICO within 72 hours of discovery comes despite the ransomware, called Sodinokibi or REvil, being linked with attackers who typically exfiltrate information before encrypting corporate data and demanding a ransom. They then threaten to release the data if their ransom is not paid.
If an organisation decides that a breach doesn't need to be reported they should... be able to explain why it wasn't reported
In a statement to Computing, an ICO spokesperson revealed that it had been in contact with Travelex and was advising it on "potential personal data issues", but added that "the company has not reported a data breach".
The statement continued: "If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported, if necessary.
"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.
"All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO."
While Travelex failed to notify the ICO within 72 hours of discovery, it nevertheless managed to call-in the Metropolitan Police in less than three days.
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach
The company maintained in its most recent statement that "there is still no evidence to date that any data has been exfiltrated".
The decision not to notify the ICO on 31st December, when the currency exchange specialist claimed to have first discovered what it maintained for more than a week was a virus, will be factored-in to the size of the fine that Travelex will face should any personal data be found to have been compromised.
The company took down its systems, website and mobile app following the outbreak on New Year's Eve, forcing staff to revert to manual procedures. Travellers across the world have been unable to top-up Travelex currency cards or obtain foreign currency electronically, while banks that rely on Travelex to support their foreign currency transactions have been unable to serve customers.
The size of potential fine that Travelex could face is substantial.
Travelex could expect a stiffer fine to be proposed by the ICO - up to the maximum of four per cent of turnover - should any personal data have been compromised. It will also face similar enforcement action under data protection laws in jurisdictions across the world.
All Computing's coverage of the Travelex ransomware outbreak:
- Travelex refuses to comment on whether it paid ransom to get its data back
- Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack
- Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data
- ICO: Travelex hasn't reported a data breach
- Metropolitan Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack
- Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
- Travelex ignored September warning over 'insecure' VPN server software
- Travelex takes down currency exchange website following New Year's Eve cyber attack