ICO: Travelex hasn't reported a data breach

clock • 3 min read

'The company has not reported a data breach,' ICO tells Computing, but adds that they may be required to 'explain why it wasn't reported'

Travelex has not reported a data breach to the Information Commissioner's Office (ICO) despite being targeted in a ransomware attack that has kept its systems down since 31st December.

The decision not to notify the ICO within 72 hours of discovery comes despite the ransomware, called Sodinokibi or REvil, being linked with attackers who typically exfiltrate information before encrypting corporate data and demanding a ransom. They then threaten to release the data if their ransom is not paid.

If an organisation decides that a breach doesn't need to be reported they should... be able to explain why it wasn't reported

In a statement to Computing, an ICO spokesperson revealed that it had been in contact with Travelex and was advising it on "potential personal data issues", but added that "the company has not reported a data breach".

The statement continued: "If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported, if necessary.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.

"All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO."

While Travelex failed to notify the ICO within 72 hours of discovery, it nevertheless managed to call-in the Metropolitan Police in less than three days.

Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach

The company maintained in its most recent statement that "there is still no evidence to date that any data has been exfiltrated".

The decision not to notify the ICO on 31st December, when the currency exchange specialist claimed to have first discovered what it maintained for more than a week was a virus, will be factored-in to the size of the fine that Travelex will face should any personal data be found to have been compromised.

The company took down its systems, website and mobile app following the outbreak on New Year's Eve, forcing staff to revert to manual procedures. Travellers across the world have been unable to top-up Travelex currency cards or obtain foreign currency electronically, while banks that rely on Travelex to support their foreign currency transactions have been unable to serve customers.

The size of potential fine that Travelex could face is substantial.

British Airways is facing a fine of £183 million, amounting to 1.5 per cent of global turnover over, for the 2018 Magecart attack on its payment pages.

Travelex could expect a stiffer fine to be proposed by the ICO - up to the maximum of four per cent of turnover - should any personal data have been compromised. It will also face similar enforcement action under data protection laws in jurisdictions across the world.

All Computing's coverage of the Travelex ransomware outbreak

You may also like
Big Issue subject to latest cybergang attack

Hacking

The hackers claim to have stolen 550GB of confidential information

clock 28 March 2024 • 2 min read
University CIO: 'We were owned in 4 hours'

Threats and Risks

And that certainly focused minds, says Salford University’s Mark Wantling

clock 20 March 2024 • 5 min read
Data breach at French unemployment agency exposes 43 million people

Hacking

Hackers infiltrated the France Travail's IT systems

clock 15 March 2024 • 2 min read

More on Security

You need to lock down cyber-physical systems: Here's how and why

You need to lock down cyber-physical systems: Here's how and why

Cybersecurity should focus on OT as well as IT

Samara Lynn
clock 27 March 2024 • 3 min read
China Crisis: Government blames China for Electoral Commission cyberattack

China Crisis: Government blames China for Electoral Commission cyberattack

Also accuses Chinese state-affiliated actors of trying to hack MPs emails

Penny Horwood
clock 26 March 2024 • 5 min read
A cyber-focused attorney on why 'Data is the hot potato'

A cyber-focused attorney on why 'Data is the hot potato'

Shawn Tuma, partner and co-chair of the data privacy and cybersecurity practice group at Spencer Fane LLP, shares some tips on cybersecurity for companies to follow.

Samara Lynn
clock 26 March 2024 • 3 min read