High-stakes ransom game as Travelex remains down for more than a week

Travelex business – and customers – held to ransom 

Travelex, the currency exchange company, has been hit by criminals in a ransomware cyber-attack that took place on New Year’s Eve. As a consequence, the company has taken down its websites across 30 countries in order to contain “the virus and protect data”.

A side-effect of the attack is that various banks, such as Lloyds, Barclays and Royal Bank of Scotland, and supermarkets such as Sainsbury’s and Tesco, are now unable to supply foreign currency, normally sourced through Travelex.

Travelex Whistleblower speaks out

However the BBC reported that an “employee claims that the company was alerted to the cyber attack at about 21:00 GMT on the 30 December, not 31 December as has been widely reported. He alleges internal communication has been “scant”, but that since then IT teams have been working flat-out buying and setting up new PCs and replacing certain software.”

It also reported on another employee who said in an email to the BBC “I couldn’t help but laugh at the suggestion that the public response has been ‘shockingly bad’. This is nothing compared to how it’s been handled internally. It feels like there is a distinct lack of real leadership and communication.”

Travelex states that there is no evidence that customer data has been stolen but certainly staff are resorting to pen and paper whilst new computers are brought in and set up.

In the meantime, there has been no communication from Travelex to its employees, business partners or customers about whether there are any viable back ups which could be used to recover data.

Data protection rights for Travelex customers:

Under the General Data Protection Regulations (GDPR) if there has been a breach of data:

1) Organisations must assess the risk to your personal rights and freedoms.

2) High risk breaches have to be notified to the persons whose data has been affected without undue delay with a description of the likely consequences.

3) Organisations must describe the measures taken, being taken or proposed to be taken to deal with the data breach. If applicable it should also describe the measures to mitigate any possible adverse effects.

Advice for Travelex customers

Anyone who has ever used Travelex should keep a close eye on their bank for any suspicious activity and report it immediately to their bank as possible fraud.

Check with the three credit agencies Transunion (were CallCredit), Experian and Equifax that no credit has been taken out in your name. Sara Williams from Debt Camel has a brilliant guide to credit scoring, myth busting and how to check different records. The 3 best ways to check your credit score & records – all free!

Be wary of any phone calls, texts and emails from anyone saying they are from Travelex. It is possible that other scammers will now emerge and contact people requesting bank details etc. Do not give them! (For more information see this Which? article on Phone scams).

If you incur financial loss or distress (and it can now be distress alone) contact the company (in writing so that you have a record) See 20 Top Tips on how to complain effectively for help. Follow the tips and explain the losses with evidence and how the matter has caused you stress.

You can also report to matter to the Information Commissioner’s Officer (ICO). It won’t give compensation or advise on the amount due but it may be able to help and will also add to any case that the ICO builds against Travelex.

You could contact the CEO using contact details that can be found here. He is very unlikely to respond personally! However it should escalate your case and ensure that it is dealt with by his executive team.

If you are not satisfied with the response then you can go to the Financial Ombudsman Service and if still not happy with the result take the case to the Small Claims Court.

What is the future for Travelex?

It appears that Travelex is handling the situation appallingly. As of 8 January 2020 the ICO says that it has still not received notification of a data breach and yet any company must inform the ICO within 72 hours if a breach poses a risk to people’s “rights and freedoms”. The ICO has the powers to fine up to £500,000 to any company that breaches the GDPR regulations.

If a company doesn’t do this, because they believe it is minor, they have to keep a record and explain why they didn’t report it. I for one look forward to seeing the explanation! It would seem to me that what appears to have happened is not minor!

At the point of publishing it is unknown if Travelex will pay the ransom. But what is clear is that Travelex has not been properly informing customers of the current situation, as it must do by law

Being held to ransom by a cybercriminal is bad enough for Travelex but then failing to properly inform the regulator makes the whole situation so much worse for the company. This is mismanagement on a grand scale, for which the directors must be held accountable.

Three out of five stars for CMA’s action so far on fake reviews?

Finally, some action from CMA on fake reviews – but is it enough?

The Competition and Markets Authority (CMA) has announced today (8 January 2020) that Facebook and eBay have “signed up to agreements to better identify, investigate and respond to fake and misleading reviews”, after being told by the CMA to address this issue.

According to the CMA, “more than three-quarters of people are influenced by reviews when they shop online, and billions of pounds are spent every year based on write-ups of products or services. Fake and misleading reviews are illegal under consumer protection law.”

However, most of us have stories where someone we know has been offered an item for free in exchange for a review, or a Facebook group which shares such “opportunities”. Trip Advisor and Amazon have their issues too. I even know someone who advises businesses how to grow, who asks colleagues to write favourable reviews for his friend’s restaurant.

Bad News about fake reviews

Fake reviews are bad news for both businesses and their customers. While someone may be thinking they have just helped out a friend of a friend or got something for nothing, the results can be damaging.

Small firms have been put out of business as competitors write fake reviews. In early 2019 Which? undertook expensive research and uncovered thousands of members of fake review groups, fake reviews where people had been paid or given the item for free.

It revealed its findings in July 2019 in the report Bribery, hacking and gaming the system: the tactics used to post fake reviews online. At the time the CMA announced that Facebook and eBay must tackle the issue. Facebook even claimed that the groups had already been removed. However Which? found 20 groups clearly labelled as review groups soon after Facebook’s announcement.

Consumers can’t trust reviews in this growing area of fake reviews.

Indeed, Claire Roach, who runs Daily Deals UK, says that she gets at least 10 messages a day (all from sellers in China) asking for various things. They ask if she can post their deals and if they can send free products in exchange for reviews. She says they are different Facebook accounts every time and that she must have received over 1000 such requests in the last two years. “I welcome a crackdown, as a consumer who has been duped many times by substandard products on Amazon which have good reviews. It’s such a waste of money and has put me off purchasing from there.”

But therein lies another problem, although Facebook groups have increased the problem of fake reviews on Amazon, Amazon does not appear to be part of the CMA’s process thus far. When I asked the CMA for clarity on what part Amazon has played in its work undertaken with Facebook and eBay, a spokesperson said “On background, our work so far has focussed on disrupting the market for the trade of fake reviews on Facebook and eBay. This announcement is part of ongoing work regarding fake online reviews. The next stage will be considering the role that review sites play. The CMA has not yet decided on its scope of work, but we expect to make an announcement about this in the coming months.”

Facebook says that it has so far removed 188 groups and disabled 24 users’ accounts, and eBay has permanently banned 140 users, according to the CMA. But if one was to look just at Ms Roach’s experience, this is perhaps just a drop in the ocean.

Both organisations have pledged to put measures in place that will help prevent this type of content from appearing in the future. This includes Facebook agreeing to introduce more robust systems to detect and remove such content and eBay improving its existing filters to better identify and block listings for the sale or trade of online reviews.

The CMA also highlighted new examples of fake and misleading reviews for sale via Instagram, and reported these to Facebook which operates Instagram. Facebook has committed to investigate the issue. The CMA will be seeking a commitment from Facebook to take action to tackle these further issues. Ms Roach was so sick of receiving messages through Facebook she turned the facility off but has now started to receive them through Instagram!

message asking Clare to undertake a revew in return for the product

Andrea Coscelli, CMA Chief Executive, said:
“Fake reviews are really damaging to shoppers and businesses alike. Millions of people base their shopping decisions on reviews, and if these are misleading or untrue, then shoppers could end up being misled into buying something that isn’t right for them – leaving businesses who play by the rules missing out.

We’re pleased that Facebook and eBay are doing the right thing by committing to tackle this problem and helping to keep their sites free from posts selling fake reviews.”

Future for fake reviews

Yes, the CMA is certainly taking action, but I still think a lot more work needs to be done to clean up the world of online reviews. Clearly Amazon. and many other online retailers, should be part of this work!