TravelEx
In December 2019, foreign exchange company TravelEx suffered a massive data breach. Cyber criminals launched a sophisticated ransomware attack on New Year’s Eve that brought the company to a complete standstill. TravelEx took down its websites across 30 countries to try and contain the attack, but it was in trouble.
The criminals, who were part of a gang known as REvil, claimed to have already accessed the company’s computer network and stolen 5GB of sensitive customer data. Allegedly, this included dates of birth, credit card information, and national insurance numbers.
TravelEx failed to file a data breach report to the UK Information Commissioner’s Office (ICO), which is a national requirement for companies that suffer data breaches. Under GDPR, failing to do so within 72 hours of the original breach can result in a fine of 4% of the company’s global turnover.
What happened to TravelEx?
After negotiating with the preparators, the company agreed to pay a ransom of $2.3 million. Its parent company, Finablr, attempted to sell the company, but was ultimately unsuccessful. A subsequent restructure resulted in the loss of over 1,300 jobs.
It later transpired that concerns around digital security vulnerabilities had been raised earlier in 2019. When this came to light, the impact on TravelEx’s reputation was catastrophic. The company survived the ordeal, but it has never recaptured the market share that it held before it suffered the cybersecurity breach.
