A recent ransomware attack paralysed global currency exchange company Travelex, forcing the firm operating in over 70 countries to revert back to utilising pen and paper.
The attack occurred on the 31st of December 2019 and resulted in all computer systems being taken down to prevent the spread of the malware. At least 20 Travelex websites in different countries became inaccessible, leaving its retail sites, including those in airports, without access to email or IT systems. The decision to shut down the site not only impacted Travelex customers but also companies that utilised their services including;
Tesco
Sainsbury’s
First Direct
Virgin Money
The ransomware gang REvil, who claimed responsibility for the attack, demanded £4.6 million to return all data and restore networks. Travelex advised that the key data was encrypted following the incident which may have been the root of the delay in returning external systems, allowing the purchase of currency online, to become operational.
Interestingly, Travelex did not inform the Information Commissioner Officer (ICO) of the breach, with Travelex maintaining that no data was compromised. To reiterate, data does not need to be compromised for the ICO to deem a breach has occurred, with a time-frame of 72 hours to notify. Additionally under new General Data Protection Regulation (GDPR) legislation a claim can be brought against a company due to material or non-material infringement, with damages available even where there has been no monetary loss. This could include but is not restricted to embarrassment, distress or inconvenience.
Travelex would not be the first company to be investigated at a global level with British Airways and The Marriott Hotel Chain hitting headlines last year. The prior limitation of a £500,000 fine has been eradicated with British Airways facing a fine of £183 million and laterally Marriott International of £99 million.
The Investigations and fines issued by the ICO are not limited to large international organisations with the first UK fine under GDPR being issued late December 2019. This was to Doorstep Dispensaree Ltd for the sum of £275,000 alongside a requirement to improve its data protection compliance within 3 months. The fine was as a result of 500,000 documents that showed names, addresses and medical information being available in unlocked containers in the courtyard.
In addition to potential fines, cost for companies hit by a cyber-attack can quickly shoot up.
A business affected by a disruption to its computer network system may experience and is not limited to;
Loss of production
Loss of revenue
Significant breach response costs
Possible exposure to third party liability claims
Diminution of market share
Damage to corporate reputation
Demand for ransom payment ostensibly in exchange for allowing the business to regain access to its computer. Many destructive attacks often include “wiper” malware to increase the pressure on victims to pay the ransom.
Danish hearing aid manufacturer Demant estimated (opens a new window) the cost of a September 2019 cyber-attack at up to DKK 750 million (£85 million), for example.
Without an appropriate insurance programme in place, the impact will be realised by the organisations’ bottom line.
Remediation costs will be included in the cyber-programme and should cover the following:
Initial Response Costs
IT forensics
PR
Call centre support
Legal Liability
Loss of Income
Credit Monitoring
If you aren’t sure on the impact a cyber-breach would have on your organisation Lockton are able to conduct both qualitative and quantitative analysis to establish your needs. Our market-leading cyber-security practice has extensive experience of dealing with the most complex of cyber claims.
For further information, please contact:
Justine Chalmers, Development Executive
Tel: +44 (0)141 226 8791 | Email: justine.chalmers@uk.lockton.com (opens a new window)
