Hack Attack: Customer data held hostage in Travelex hacking

January 29, 2020

3 min read

Sign up to our mailing list! 👇

What's going on here?

Foreign exchange company, Travelex is being held to a £4.6m ransom by hackers.

What does this mean?

On New Year’s Eve a group of hackers, believed to be the sophisticated REvil/Sodinokibi group, exploited a weakness in Travelex’s network and installed ransomware. Ransomware is a malicious software designed to block access to a computer system until a sum of money is paid. The hackers claim to have gained access to the network six months ago, and in that time downloaded 5GB of customer data including dates of birth, credit card details, and national insurance numbers. The hackers have stated that they will destroy and not use the information provided a £4.6m ransom is paid. In order to minimise the impact of the ransomware and to protect customer data, Travelex took down its websites. Travelex claims that no data has been leaked, but it did not specify whether data was at risk

The hack has affected online travel money services for its partners, including Sainsburys Bank and Virgin Money, as well as high street banks (Lloyds, Barclays and RBS) who rely on Travelex for their foreign exchange services.

What's the big picture effect?

This hacking raises a number of issues relating to privacy, specifically the safe storage of sensitive customer data and GDPR compliance. The GDPR requires the Information Commissioner’s Office (ICO)  to be notified of any data breach within 72 hours of it becoming known, unless it does not pose a risk to people’s rights and freedoms. A breach of the GDPR can result in a hefty fine of 4% of the breaching company’s  global turnover. As of 7 January 2020, the ICO stated that it had not been notified of a data breach at Travelex, so it looks likely that Travelex will face those fiscal penalties. The fact that Travelex was reportedly notified of a weakness in its network prior to the hack, could intensify any claims against it. 

Companies made nervous by the attack may seek the help of firms to ensure they are doing all they can to meet the GDPR requirements, and keeping customer data safe. Those companies, like Travelex, who have been unfortunate enough to be hacked can seek the help of firms to understand their rights and responsibilities in the aftermath of the hack, as well as dealing with any litigation which may arise as a result. 

As reliance on technology intensifies, it is likely that hacks will become a growing phenomenon therefore, how hacks are managed and dealt with becomes a crucial issue. Companies suffering from hacks are encouraged not to give into demands for money as this would likely fuel the criminal hacking industry. However, not paying a ransom can end up being even more costly when factoring in the price of recovery operations and the harm that data loss could cause consumers. An example of this can be seen in the hack of Norsk Hydro in 2019 where £50m was spent on recovery while the hackers demanded a much lower £300,000. 

In the past, ransomware hacks such as this one have left companies locked out of their systems. However, this case seems to have gone one step further by weaponising GDPR fines and using them as a further incentive to pay the ransom. Holding customer data hostage could be the future of hacking, and with this serious threat in mind, a strong and clear response from regulators is crucial in ensuring that both the security of consumers’ data is protected, but also that hackers cannot manipulate or exploit the system for criminal financial gain.

Report written by Julie Lawford

If you’d like to write for LittleLaw, click here!

Share this now!