High-stakes ransom game as Travelex remains down for more than a week

Travelex business – and customers – held to ransom 

Travelex, the currency exchange company, has been hit by criminals in a ransomware cyber-attack that took place on New Year’s Eve. As a consequence, the company has taken down its websites across 30 countries in order to contain “the virus and protect data”.

A side-effect of the attack is that various banks, such as Lloyds, Barclays and Royal Bank of Scotland, and supermarkets such as Sainsbury’s and Tesco, are now unable to supply foreign currency, normally sourced through Travelex.

Travelex Whistleblower speaks out

However the BBC reported that an “employee claims that the company was alerted to the cyber attack at about 21:00 GMT on the 30 December, not 31 December as has been widely reported. He alleges internal communication has been “scant”, but that since then IT teams have been working flat-out buying and setting up new PCs and replacing certain software.”

It also reported on another employee who said in an email to the BBC “I couldn’t help but laugh at the suggestion that the public response has been ‘shockingly bad’. This is nothing compared to how it’s been handled internally. It feels like there is a distinct lack of real leadership and communication.”

Travelex states that there is no evidence that customer data has been stolen but certainly staff are resorting to pen and paper whilst new computers are brought in and set up.

In the meantime, there has been no communication from Travelex to its employees, business partners or customers about whether there are any viable back ups which could be used to recover data.

Data protection rights for Travelex customers:

Under the General Data Protection Regulations (GDPR) if there has been a breach of data:

1) Organisations must assess the risk to your personal rights and freedoms.

2) High risk breaches have to be notified to the persons whose data has been affected without undue delay with a description of the likely consequences.

3) Organisations must describe the measures taken, being taken or proposed to be taken to deal with the data breach. If applicable it should also describe the measures to mitigate any possible adverse effects.

Advice for Travelex customers

Anyone who has ever used Travelex should keep a close eye on their bank for any suspicious activity and report it immediately to their bank as possible fraud.

Check with the three credit agencies Transunion (were CallCredit), Experian and Equifax that no credit has been taken out in your name. Sara Williams from Debt Camel has a brilliant guide to credit scoring, myth busting and how to check different records. The 3 best ways to check your credit score & records – all free!

Be wary of any phone calls, texts and emails from anyone saying they are from Travelex. It is possible that other scammers will now emerge and contact people requesting bank details etc. Do not give them! (For more information see this Which? article on Phone scams).

If you incur financial loss or distress (and it can now be distress alone) contact the company (in writing so that you have a record) See 20 Top Tips on how to complain effectively for help. Follow the tips and explain the losses with evidence and how the matter has caused you stress.

You can also report to matter to the Information Commissioner’s Officer (ICO). It won’t give compensation or advise on the amount due but it may be able to help and will also add to any case that the ICO builds against Travelex.

You could contact the CEO using contact details that can be found here. He is very unlikely to respond personally! However it should escalate your case and ensure that it is dealt with by his executive team.

If you are not satisfied with the response then you can go to the Financial Ombudsman Service and if still not happy with the result take the case to the Small Claims Court.

What is the future for Travelex?

It appears that Travelex is handling the situation appallingly. As of 8 January 2020 the ICO says that it has still not received notification of a data breach and yet any company must inform the ICO within 72 hours if a breach poses a risk to people’s “rights and freedoms”. The ICO has the powers to fine up to £500,000 to any company that breaches the GDPR regulations.

If a company doesn’t do this, because they believe it is minor, they have to keep a record and explain why they didn’t report it. I for one look forward to seeing the explanation! It would seem to me that what appears to have happened is not minor!

At the point of publishing it is unknown if Travelex will pay the ransom. But what is clear is that Travelex has not been properly informing customers of the current situation, as it must do by law

Being held to ransom by a cybercriminal is bad enough for Travelex but then failing to properly inform the regulator makes the whole situation so much worse for the company. This is mismanagement on a grand scale, for which the directors must be held accountable.

Whirlpool plays dirty on washing machine refund saga

Appliances giant faces criticism for washing machine recall delays

Whirlpool, the white goods giant whose brands include Hotpoint and Indesit, has at last announced its plans for a partial recall of its faulty washing machines.

On 17 December 2019 it announced a recall of certain models of washing machines manufactured between 2014 and 2018. Advice to customers was to unplug the affected machines because of the possible risk of fire. This left affected customers without a washing machine over the Christmas period while the company appeared to do nothing to help customers or offer any compensation.

The fault – and associated recall – relates to the electronic locking system on 519,000 machines which were sold since 2014, which can cause them to overheat and catch fire. 79 fires have so far been caused by this electronic design failure.

Whirlpool has said that the 60,000 people so far found to be affected will receive an email by Friday 10 January 2019 inviting them to choose between a replacement and a repair. However, Whirlpool has still refused to offer refunds, partial or otherwise, to those affected. This is despite calls by consumer champions, such as Which?

Which? calls for refunds

Sue Davies, head of consumer protection at consumer group Which?, said:

“It would clearly be unacceptable if customers were left for many months without adequate washing facilities in their homes, particularly when there is also no offer to cover consequential costs such as trips to the laundrette.

The company should do the right thing and offer customers a refund, so people can get fire-risk machines out of their homes and quickly find a suitable replacement. There needs to be a full investigation about what Whirlpool knew about these machines and when.”

I obviously agree! It is disgusting that Whirlpool should continue to treat customers in this way. Why did it wait for 79 fires to occur before it took action? Why hasn’t it learnt any lessons from its own tumble dryer fiasco?

Slow to act

It has been 26 days since Whirlpool announced the recall and it is only now that it has started to notify customers regarding dates for replacement and/or repairs. Even as of late afternoon 9 January 2019 it still didn’t appear to have contacted all vulnerable customers. How long people will have to wait after receiving this email is not clear either.

The Hotpoint Twitter feed shows that the company has been slow to act. Even where a customer is vulnerable. For example:

BBC report

A BBC News report by Kevin Peachey on 9 January says:

“One of those affected by the recall is Janet McPherson, of Lampeter, South West Wales. The 65-year-old was fed up with the probability of a long wait, had lost trust in the brand, faced an eight-mile round trip to the laundrette, and was frustrated with Whirlpool’s customer service.

I made my vote by buying a different brand. It did not help with the Christmas budget at all,” she said.”

She wants a refund and is now ready for what could be a long fight with the company. I completely agree with Janet, of course Whirlpool customers should be given refunds.

Both my washing machine and dishwasher are on their last legs, I can assure you I won’t touch anything to do with Whirlpool, whose brands in the UK include Hotpoint and Indesit.

If I had an affected machine I would happily go through the Small Claims Court to get the necessary refund. I encourage and will support my readers to do the same. 

Your rights under The Consumer Protection Act 1987

This Act (a European directive) prohibits the manufacture and supply of unsafe goods, making the manufacturer or seller of a defective product responsible for any damage it causes. The Act states where a manufacturer has made a defective product which has caused a personal injury or damage to your property, it, not the trader is responsible. The value of the damage must be more than £275.

So you can claim for this as well if you have had a fire. However, I would recommend seeking legal advice from a solicitor before embarking on this.

For more details about the situation and what you can do, please see my previous article The Whirlpool washing machine whitewash

Take it to the top and persevere

If you’re having problems getting the necessary replacement or repair please click here to find the contact details for the Whirlpool UK CEO.

I heard on the BBC Radio 2 News today a customer had fought to get a refund on a Whirlpool appliance. She was threatened with the legal team but she kept on and won through in the end so don’t give up!

The future for Whirlpool

I fail to understand how Whirlpool thinks treating customers like this is acceptable. Why isn’t it doing what it can to ensure customers are treated fairly? How much longer can a company continue like this?

Many customers are losing faith in brand and many potential customers are too. Would you buy an appliance from a company that appears to continue to treat customers so unfairly?

Template letter to adapt

If you have an affected appliance, you could use this template and adapt as necessary. If you do not know the exact date give as much information as possible.

Please fill in the gaps then send the letter by email to the Whirlpool UK CEO.

Dear

On the (date, including year) I purchased a (fill in manufacturer name and model number) washing machine.

I am rejecting your offer of a repair or replacement. This is because I have lost faith in your company to put matters right or provide another like-for-like machine that is safe.

I expect therefore a full refund of the price paid for the faulty machine.

Under the Consumer Rights Act 2015 or the Sale and Supply of Goods Act 1994 (delete the Act which does not apply*) In addition I am legally entitled to out of pocket expenses. Due to being without a washing machine I have incurred the following expenses and attach evidence for:

(list what is applicable the below are examples)

Launderette cost so far £
Travel expenses cost so far £

These costs will continue to accumulate until the matter is resolved and I will expect full reimbursement of all costs incurred.

Should I not be fully satisfied with your response, I will not hesitate in taking the matter further and this will include but not be limited to taking the matter through the Small Claims Court.

Yours sincerely

etc.

* Consumer Rights Act 2015 for purchases made on or after 1 October 2015 and the Sale and Supply of Goods Act 1994 for purchases before then.