The next successful “Travelex” attack is just around the corner…

Hackers have held Travelex to ransom since an attack on New Year’s Eve, demanding the firm pay $6m (£4.6m) before they unlock its systems. The impact on Travelex has been nothing short of a disaster, and as a case study in how to deal with cyber crime, this has been described by some media commentators as “a masterclass in what not to do”.

The attack has left the firm without any systems, reducing their employees to servicing customers with just a pen and paper. This has affected customers including banks like Barclays, Lloyds and RBS, which use Travelex to provide their travel money services, and at time of writing Travelex had refused to say when some services will be restored.

Communication between the company and their customers since the attack on New Year’s eve has been fractured. Reports would indicate that customers have not been updated on how or when they will receive money held by Travelex, or at this stage even if they will be able to retrieve their currency at all.

It has also emerged that Travelex’s parent company Finablr hold a cyber insurance policy which could have responded to support the business at the outset of the attack – however Travelex’s management were not aware of this so days went by without a properly co-ordinated response.

It is widely known that the first 72 hours of any attack or breach is critical (see our article “How will your business respond in the critical 72 hours following a data breach?”) and Travelex’s failure to respond effectively within this window in terms of securing or repairing systems, communicating with key stakeholders and reporting to the Information Commissioners Office (ICO) could have a catastrophic effect on the business. In addition to terrible impact on the business’ reputation, the ICO has the power to levy a maximum fine of 4% turnover - potentially over £31 million in Travelex’s case, and the scale of the fine is sure to be affected by the effectiveness of their response.

Travelex’s experience dramatically highlights the importance of taking cyber risk seriously. Every business should consider essential risk management measures, and in particular:

  • training employees on cyber risk – experience shows that employee error is the most likely cause of the breach
  • Management of IT infrastructure and the security of data relating to employees, suppliers and customers.

It also puts a spotlight on the need to have appropriate Cyber Insurance in place. A quality cyber policy will help businesses to recover as quickly as possible

  • ensuring effective communication with customers and the ICO,
  • restabilising systems & networks,
  • tracing the attack,
  • paying ransoms as a last resort,
  • preparing legal documents when dealing with the ICO
  • PR support to help protect the brand for the future.

The sad fact is that many businesses still do not recognise cyber risk as one of the most significant threats they face. No doubt Travelex, like every responsible business will have had their premises and property insured against fire – but it is hard to see how a fire could have had a more catastrophic effect on the business than the current cyber attack.

Contact your nearest GRP broker office for expert advice on cyber cover