The Travelex breach is still ongoing, having started on the 31st December 2019.
Travelex has confirmed that it has not informed the ICO of the breach, even though lack of data availability is considered a breach under Article 32 of the GDPR.
Aside from the obvious ransomware response issues generated here, there are a few more game-changing events to discuss.
Many retail banks use Travelex for their supply of foreign currency and have been unable to provide a coherent foreign currency service to their retail customers as a result.
Cometh the Regulator
The FCA will want to look at this from the point of view of business resilience applied to a retail banking service.
What has actually happened here is a single cyberattack has crippled the foreign currency banking services for multiple high street banks, potentially affecting millions of customers.
The outcome of this is likely to be updated FCA guidance on how banks should look at their service resilience, with particular focus on single vendor dependencies and enhanced risk assessments around third party assurance.
This will mean that Banks will look for a secondary supply of foreign currency, or potentially create a new open banking solution that doesn’t need physical currency to be exchanged, moving out of the physical currency exchange business altogether.
Either way, this is bad news for the current Travelex business model.
The physical currency exchange model
I can’t remember the last time I exchanged physical currency. I have both personal and business bank accounts that handle multiple currencies automatically for me (shout out to Transferwise for a brilliant service, and I’m not even on the affiliate programme).
My guess is physical currency exchange is still old school, used by people who remember this as the only way to get foreign currency for their holidays.
Or people without credit cards or other means of withdrawing cash at their destination.
Exactly the demographic that you don’t want to upset.
The first set has time on their hands to complain vociferously. The second set would have been affected disproportionately badly due to their lack of financial flexibility.
The importance of customer loyalty and trust
On the basis that Travelex had a working business model last December, there are still substantial numbers of people who use such a physical currency exchange service. Those people are likely to be:
- Very upset. It’s always bad to have a negative impact on someone’s holiday.
- Making New Year’s resolutions about how they will “never again be put in that position”
- Looking for alternative options, all of which they will find are better than physical currency exchange.
The entire situation is likely to negatively impact the Travelex business model.
The Travelex business model
This single cyberattack is likely to reduce the overall market demand for physical currency exchange.
Physical currency exchange was always likely to be one of the first victims of the new open banking flexibility being made available throughout the EU (and the UK – we haven’t left yet!). This single cyberattack potentially accelerates this market decline.
The cost of remediating the current situation is likely to be expensive. Travelex Income from 2018 stood at just over £23million.
So if we look at the financial impact of the breach, married to the fines, a possible class action from the disgruntled, legal costs, interesting contractual negotiations with retails banks, IT costs and some new security services, the CFO at Travelex will be busy with the red pen for the foreseeable future.
Only time will tell whether Travelex will become the first major business failure that is attributed to a cyberattack.