The foreign exchange firm Travelex has yet to report a data breach despite being targeted by a ransomware attack that has kept its systems down since 31st December.

The London based firm took the decision not to notify the ICO within 72 hours of their data breach, despite GDPR guidelines being clear that a notification must be issued if customer data is at risk. The company’s systems were infiltrated by a form of ransomware called Sodinokibi, or REvil, which paralyzes computers and threatens to release data if a ransom is not
paid.

It is inadvisable for large organisations to try to divert attention away from major security breaches. In July 2019, British Airways was fined a record £183.39 million over a data breach with compromised the personal information of approximately 500,000 customers. The ICO cited poor security arrangements as a reason for the severity of the fine.

By not reporting a breach as severe as that which is currently affecting Travelex, the firm is raising suspicions that their systems may not have been adequately engineered to defend against such an attack. The company continues to maintain that “there is still no evidence to date that any data has been exfiltrated”, according to report by Computing
magazine.

Following news of the breach, the ICO released a statement to remind organisations of their responsibilities.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported, if necessary.

“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO.”

Ensuring robust, GDPR compliant systems

This latest attack is a reminder that businesses must not only ensure that their systems are safeguarded to stringent levels, but also that any data stored is handled in line with the current regulations. Travelex have a physical presence across Europe, however, if they didn’t, this breach could show them to be in violation of Article 27 of the GDPR.

Article 27 of the GDPR states that if you use data on clients, customers or prospects in the EU but you don’t have a presence in the EU, you must appoint a representative here on your behalf. Data breaches like the one affecting Travelex are just one of the many ways in which organisations can potentially get caught out and fined by not following this important piece of legislation.

Are your systems robust enough to handle a data breach and, should you be breached, are you holding data on EU citizens that could be exposed? Without an EU representative appointed to handle any complaints, you could be putting yourself at risk of a very hefty fine.

For further information on appointing an EU representative for your business, click
here.