Foreign exchange company Travelex has suffered a severe hack that has forced it to deactivate all computer systems in an attempt to protect data and contain a virus.
The hack is allegedly by ransomware gang Sodinokibi, who claim that they gained access to the company’s network six months ago. They also claim that they have downloaded 5GB of customer data since then. Among the data is stated to be dates of birth, credit card information, and national insurance numbers.
According to current information, the response from Travelex has been extremely poor. Customer data is at risk, but they have not taken sufficient measures to protect it. The BBC reports:
The Information Commissioner’s Office (ICO) said it had not received a data breach report from Travelex.
A spokeswoman added: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.
“If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
While Travelex insists that no customer data was leaked, it also “would not say what data could potentially be at risk” and – given the severity of the hack – should be keeping the ICO informed.
Furthermore, it turns out that customers have not been informed about the hack. Rather than being able to take measures to potentially protect themselves, they are being kept in the dark.
The BBC goes on to quote security researcher Kevin Beaumont, who described the public response from Travelex as “shockingly bad”:
“The Travelex UK website still only says ‘planned maintenance’, a week after the problems began – many customers will be completely unaware hackers gained access to their network, and allegedly their personal data,” he said.
“Travelex have a responsibility to clearly communicate with customers and business partners the gravity of the situation.”
While the situation is still ongoing and we don’t yet know its conclusion, it’s clear that Travelex has already made many mistakes. That the hack happened at all indicates that its cybersecurity measures are insufficient.
Customers of Travelex should have immediately been informed, as should the ICO, in order to limit the potential damage that could be done. It’s concerning that the company’s response has not included this, demonstrating a worrying lack of awareness about data protection.
And with Travelex’s partners including Virgin Money, Sainsbury’s Bank, and HSBC owned First Direct, the impact could be huge.
Are you uncertain about your own data protection obligations under GDPR and how you should respond if a situation like this occurs? Contact us now; our GDPR Consultants are here to provide expert advice and guidance.