Travelex business – and customers – held to ransom
Travelex, the currency exchange company, has been hit by criminals in a ransomware cyber-attack that took place on New Year’s Eve. As a consequence, the company has taken down its websites across 30 countries in order to contain “the virus and protect data”.
A side-effect of the attack is that various banks, such as Lloyds, Barclays and Royal Bank of Scotland, and supermarkets such as Sainsbury’s and Tesco, are now unable to supply foreign currency, normally sourced through Travelex.
Travelex Whistleblower speaks out
However the BBC reported that an “employee claims that the company was alerted to the cyber attack at about 21:00 GMT on the 30 December, not 31 December as has been widely reported. He alleges internal communication has been “scant”, but that since then IT teams have been working flat-out buying and setting up new PCs and replacing certain software.”
It also reported on another employee who said in an email to the BBC “I couldn’t help but laugh at the suggestion that the public response has been ‘shockingly bad’. This is nothing compared to how it’s been handled internally. It feels like there is a distinct lack of real leadership and communication.”
Travelex states that there is no evidence that customer data has been stolen but certainly staff are resorting to pen and paper whilst new computers are brought in and set up.
In the meantime, there has been no communication from Travelex to its employees, business partners or customers about whether there are any viable back ups which could be used to recover data.
Data protection rights for Travelex customers:
Under the General Data Protection Regulations (GDPR) if there has been a breach of data:
1) Organisations must assess the risk to your personal rights and freedoms.
2) High risk breaches have to be notified to the persons whose data has been affected without undue delay with a description of the likely consequences.
3) Organisations must describe the measures taken, being taken or proposed to be taken to deal with the data breach. If applicable it should also describe the measures to mitigate any possible adverse effects.
Advice for Travelex customers
Anyone who has ever used Travelex should keep a close eye on their bank for any suspicious activity and report it immediately to their bank as possible fraud.
Check with the three credit agencies Transunion (were CallCredit), Experian and Equifax that no credit has been taken out in your name. Sara Williams from Debt Camel has a brilliant guide to credit scoring, myth busting and how to check different records. The 3 best ways to check your credit score & records – all free!
Be wary of any phone calls, texts and emails from anyone saying they are from Travelex. It is possible that other scammers will now emerge and contact people requesting bank details etc. Do not give them! (For more information see this Which? article on Phone scams).
If you incur financial loss or distress (and it can now be distress alone) contact the company (in writing so that you have a record) See 20 Top Tips on how to complain effectively for help. Follow the tips and explain the losses with evidence and how the matter has caused you stress.
You can also report to matter to the Information Commissioner’s Officer (ICO). It won’t give compensation or advise on the amount due but it may be able to help and will also add to any case that the ICO builds against Travelex.
You could contact the CEO using contact details that can be found here. He is very unlikely to respond personally! However it should escalate your case and ensure that it is dealt with by his executive team.
If you are not satisfied with the response then you can go to the Financial Ombudsman Service and if still not happy with the result take the case to the Small Claims Court.
What is the future for Travelex?
It appears that Travelex is handling the situation appallingly. As of 8 January 2020 the ICO says that it has still not received notification of a data breach and yet any company must inform the ICO within 72 hours if a breach poses a risk to people’s “rights and freedoms”. The ICO has the powers to fine up to £500,000 to any company that breaches the GDPR regulations.
If a company doesn’t do this, because they believe it is minor, they have to keep a record and explain why they didn’t report it. I for one look forward to seeing the explanation! It would seem to me that what appears to have happened is not minor!
At the point of publishing it is unknown if Travelex will pay the ransom. But what is clear is that Travelex has not been properly informing customers of the current situation, as it must do by law
Being held to ransom by a cybercriminal is bad enough for Travelex but then failing to properly inform the regulator makes the whole situation so much worse for the company. This is mismanagement on a grand scale, for which the directors must be held accountable.