A not so happy new year

Peter Swabey, Policy and Research Director at The Chartered Governance Institute UK & Ireland, comments on the Travelex ransomware virus attack and the implications of a data breach. 

One auld acquaintance that I suspect Travelex would very much like to forget is Sodinokibi, otherwise known as REvil, the cyber gang that, according to the BBC, has claimed responsibility for the ransomware virus attack discovered on New Years’ Eve which resulted in the company, the world’s largest currency dealer, being forced to take its services offline. Reportedly, the criminals are demanding cash – speculated to be some six million US dollars (£4.6 million) – and are reportedly threatening to release customer information, including social security numbers, dates of birth and credit card information, into the public domain unless Travelex pays the ransom demand.  There is some media speculation that the company has, at least, been in negotiation about doing so.

This is interesting as, although Travelex have admitted that some of their data has been encrypted by the virus, it insists that no customer data has been compromised and decided against formally informing the Information Commissioner (ICO) when the virus was first detected for that reason. However, it is reportedly in communication with the ICO, National Cyber Security Centre, the Metropolitan Police and the Financial Conduct Authority, who are taking a close interest in the situation as it develops. This could be a grey area as, although it could be argued that there is no data breach if it has not been accessed by a third party, it can equally be argued that if personal data in your care is encrypted and you cannot access or decrypt it, you can hardly be described as ‘controlling’ the data, and this could be interpreted as a breach. Let us not forget that all companies that see customer information breached must inform the Information Commissioner within 72 hours or risk a fine up to 4% of global revenues – a number that, in the case of Travelex, is likely to be followed by quite a number of zeros – perhaps as high as £30 million.

In the last week, I have seen an increasing corporate focus on the issue of cyber security, less from an sense of schadenfreude but more from the position of ‘there, but for the grace of God ...’  Most of us now accept that data breaches can happen. There is consequently less of an issue with companies admitting that they have been the victim of an attack and a much greater focus on how they have handled the situation. One of the challenges for Travelex is that they are perceived to have handled this badly, with the initial communication claiming that their website was down for ‘planned maintenance’ and some time passing before the true situation was admitted.

In the age of social media, communication needs to be clear, prompt and honest if it is to address a situation. In the absence of information from the affected company, social media is very good at spreading rumour and speculation which  may, or more likely may not, be well informed and which in many cases will be presented as fact rather than the speculation that it is. In a case like this, where there is some potential financial risk, customers will rightly expect to be told exactly what is happening to provide assurance that the company is on top of the situation.

The author of this article is Peter Swabey, Policy and Research Director at The Chartered Governance Institute UK & Ireland. 

Subsidiary Governance Summit, 20 Feb 2024 Download this year's course catalogue

Search CGI