Travelex, which has more than 1,200 branches and 1,000 ATMs spread over 70 countries, has said it is “making good progress” recovering from the Hogmanay hack in which the gang demanded payment of £4.6 million and threatened to release up to 5GB of customers’ personal data.
Three weeks on, high street banks including Barclays, HSBC and Clydesdale and online financial services firms First Direct, Virgin Money and Tesco Bank, which all rely on Travelex for foreign exchange services, confirmed they were still unable to offer online exchange services or process orders for foreign currency.
Travelex said a phased global restoration of systems was now under way and some its customer-facing systems were up and running again.
The cyber attack, sadly part of a growing and alarming trend, serves as a stark reminder that businesses that rely on others for providing services to their customers should review their contracts. The terms of such contracts will dictate whether the businesses have any recourse against their service provider in circumstances where services are disrupted due to a cyber event.
Travelex said its ongoing investigation had yet to find evidence that customer data had been compromised in the attack and it is working with the UK’s National Crime Agency and the Metropolitan Police.
The UK’s Information Commissioner’s Office (ICO) has said: “If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms. All organisations processing personal data should do so safely and securely.”
This case is the latest high-profile example of the ever-present threat of ransomware attacks. Such attacks carry risk for businesses in areas from legal and regulatory risk of non-compliance with requirements on data privacy, to the reputational damage that can arise from the impact on customers from disruption to services or from having an ineffective, unprepared or untested customer engagement and public relations strategy for cyber events.
In today’s world of increased integration of technology and data, there is a risk that many businesses will be exposed where ransomware attacks are carried out on third-party service providers. It is therefore also imperative that businesses anticipate this risk and seek to reflect this in service level agreements and other terms of their contracts regarding liability, with a view to being able to obtain redress for any impact caused to their operations and services stemming from cyber attacks on service providers.
UK courts have already demonstrated their willingness to support businesses in their attempts to identify those responsible for cyber attacks, and shut down their operations. A number of cases have already come before the UK courts where injunctions have been issued against “Person(s) Unknown”, including where service has been affected via email, and where courts have permitted hearings to be conducted in private and restricted the extent of confidential information made public about such cyber-attacks.
There are various pre-emptive measures businesses can take to help them restore systems and data targeted by ransomware attacks. Businesses can protect themselves from being cut off from systems and data by operating independent, segregated back-ups that they can fall back on where primary systems are rendered unavailable in an attack.
Ian Birdsey, partner and specialist in cyber technology and data breaches at Pinsent Masons.