, ,

Why has Travelex not told the ICO about its Data Breach?

travelex data breach

On 31st December 2019, Travelex fell victim to a huge cyberattack. Since then, the foreign exchange company has been negotiating with a ransomware group over a potentially huge privacy infringement. But what do we know about the Travelex data breach? And why hasn’t the company informed the UK’s data protection regulator?

What happened in the Travelex data breach?

The Sodinokibi ransomware group broke into Travelex’s computer systems and encrypted sensitive customer data. The gang has since held Travelex to ransom by threatening to sell the personal data of its customers unless paid 6 million US dollars (£4.6 million).

While the attack began on 31st December 2019, the hackers could have broken into the company’s computer systems as long as six months ago. The data involved in this breach is thought to involve social security numbers, dates of birth and payment card information.

How did the company respond to the Travelex data breach?

Travelex did not initially acknowledge the hack and instead declared that its website was down for “routine maintenance”. It is also our understanding that – to date – customers have not been sent any email communication about the cyber-attack.

Very worryingly from a legal perspective (at the time of writing), the company has not yet reported the data breach to the Information Commissioner’s Office (ICO). By law, the ICO should be informed of any data breach that compromises personal data within 72 hours of discovery. This includes data not being available as well as it being lost or stolen.

Travelex says there is no evidence customer data has been put at risk. But as hackers have had access to the data – possibly for months – this seems highly unlikely.

Travelex will have to explain why the breach wasn’t reported to the ICO and the regulator is likely to take a dim view of Travelex’s actions.

A data breach is a serious failure, and if Travelex has neglected to protect its customers’ privacy rights it must be held to account. Especially as this is not the first cybersecurity incident to hit Travelex and the company was warned months ago of its potential vulnerability to the Sodinokibi ransomware.

Are you affected by the breach?

The scale of the Travelex data breach is not yet known, but customers who have ordered money from the foreign exchange company could be at risk. If your data was involved in this hack, you might be able to make a Travelex compensation claim.

Should your personal data be found to be compromised, you can claim for:

  • Financial losses. A data breach can lead to both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts
  • Distress. Being the victim of a crime can have a significant impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job
  • Loss of privacy. You can claim for any loss of privacy suffered as a result of a data breach (e.g. having an email address stolen).

What should you do now?

At Hayes Connor Solicitors, we are watching this case with interest. If you want to make a data breach case against Travelex contact our data breach experts to tell us about your experience.

There is no obligation to proceed and we may be able to take on your claim on a no-win, no-fee basis.