Ian Birdsey: Travelex cyber attack underlines need for business to mitigate risk
It’s been a challenging start to 2020 for foreign exchange operator Travelex which became the latest global business to be targeted by a ransomware gang known as “Sodinokibi”, writes Ian Birdsey.
Travelex, which has more than 1,200 branches and 1,000 ATMs spread over 70 countries, has reported that it is “making good progress” recovering from the Hogmanay hack in which the gang demanded payment of £4.6 million and threatened to release up to 5GB of customers’ personal data.
Three weeks on, high street banks including Barclays, HSBC and Clydesdale and online financial services First Direct, Virgin Money and Tesco Bank, which all rely on Travelex for foreign exchange services, have confirmed they are still unable to offer online exchange services or process orders for foreign currency.
With its online travel money service out of action, Travelex staff had been forced to use pen and paper to serve customers but the company said a phased global restoration of systems was now underway and the first of its customer-facing systems was up and running again.
The cyber-attack, sadly part of a growing and alarming trend, serves as a stark reminder that businesses that rely on others for providing services to their customers should review their contracts with their service providers. The terms of such contracts will dictate whether the businesses have any recourse against their service provider in circumstances where services are disrupted due to a cyber event.
Travelex said that its ongoing investigation had yet to find evidence that customer data had been compromised in the attack and it is working with the UK’s National Crime Agency and the Metropolitan Police who are both are conducting criminal investigations.
The UK’s Information Commissioner’s Office (ICO) confirmed to the BBC on 7 January that it has not been formally notified of a data breach by the company. An ICO spokesperson said at the time: “We are in contact with Travelex and giving advice on potential personal data issues following the recent ransomware attack, the company has not reported a data breach.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms. All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO.”
This case is the latest high-profile example of the ever-present threat of ransomware attacks. Such attacks carry risk for businesses in a range of areas, from legal and regulatory risk of non-compliance with requirements on data privacy, to the reputational damage that can arise from the impact on customers from disruption to services or from having an ineffective, unprepared or untested customer engagement and public relations strategy for cyber events.
In today’s world of increased integration of technology and data, there is a risk that many businesses will be exposed where ransomware attacks are carried out on third party service providers. It is therefore also imperative that businesses anticipate this risk and seek to reflect this in service level agreements and other terms of their contracts regarding liability, with a view to being able to obtain redress for any impact caused to their operations and services stemming from cyber-attacks on service providers.
UK courts have already demonstrated their willingness to support businesses in their attempts to identify those responsible for cyber attacks and shut down their operations. A number of cases have already come before the UK courts where injunctions have been issued against “Person(s) Unknown”, including where service has been effected via email, and where courts have permitted hearings to be conducted in private and restricted the extent of confidential information made public about such cyber-attacks.
There are various pre-emptive measures businesses can take to help them restore systems and data targeted by ransomware attacks. For example, businesses can protect themselves from being cut off from systems and data by operating independent, segregated back-ups which they can fall back on where primary systems are rendered unavailable in an attack.
Ian Birdsey is a partner at Pinsent Masons