On the 8th January, the ICO in the UK confirmed that it had not received notification of a data breach at Travelex.
Travelex seems to be under the misapprehension that because they claim no evidence exists of any data being taken, then a data breach has not yet been confirmed. Unfortunately, the GDPR is quite clear that lack of data availability is still a data breach under Article 32.
The reason that Travelex were processing personal data was to provide a foreign currency service to its clients. Not being able to provide that service due to a ransomware attack, constitutes a data breach due to the lack of availability of that personal data. There is a “reasonable amount of time ” type clause that gives some leeway for data being recovered from backups, but not a week or the three weeks that it has currently taken.
On that basis, the ICO will be eager to ensure that they are seen to be policing this effectively. In theory, the ICO should wait until they are formally notified of the breach, but that does not have to come from Travelex. A concerned client can raise this breach with the ICO to start this ball rolling.
And I’m sure by now the ball is well and truly in play.
Travelex annual revenue to the end of 2018 was a smidgen short of £730 million.
Operating income was a tad over £23 million.
A 4 % fine from the ICO would hit the Travelex bank balance to the tune of £29 million, putting the organisation into the red on its own.
We currently do not know the details of the breach, but we can only imagine the possibilities based on other Point of Sale terminal-based businesses.
Dixon Carphone got stung for the maximum fine due to their failings of updating a POS-based business.
Common threads exist in most POS type cyberattacks:
a. Lack of network segregation.
b. Easy access to admin accounts.
c. Lack of vulnerability management for the estate making it vulnerable to basically any exploit.
d. Lack of implementation of routine upgrades and security patches.
I would be very surprised if the same contenders were not part of the Travelex breach.
Given the scale of the network, the IT / Cyber improvement plan to tidy up after this breach will not be simple or cheap.
This could easily run into significant millions. So that is another years income gone, if not more.
More spending on the uplift of the internal or outsourced security programme.
Blank cheques flying in all directions.
All your major customers (the retail banks) auditing you out of sight.
And it could turn into the Royal Rumble with the FCA jumping in on the side of the ICO to double team Travelex.
