Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack

Travelex continues to insist that no personal data was compromised

Travelex has issued an update claiming that it is making "good progress" in its recovery from the ransomware attack on New Year's Eve that forced it to take down critical IT systems. It also continues to insist that no personal data was compromised as a result - a claim disputed by the purported attackers.

"We continue to make good progress with our recovery and have already completed a considerable amount in the background.

"We are now at the point where we are able to start restoring functionality in our partner and customer services, and will be giving our partners additional detail on what that will look like during the course of this week," said Tony D'Souza, CEO of Travelex who has remained largely silent throughout the two week hiatus in the company's services.

A ‘data breach' does not necessarily mean a loss of data, but simply data not being available

He added that the company was currently working through a plethora of "technical, commercial, legal, regulatory, law enforcement, and other complexities of a global organisation that has experienced an attack". He continued: "We are confident, based on our efforts to date, that we will be able to restore our services and ensure the integrity and robustness of the network."

The company plans to start restoring customer-facing systems this week, "beginning with those which enable the company to process customers' order electronically within its partners' and its own retail branch networks", according to the statement.

It continues: "This follows the restoration of many of the internal capabilities necessary to support partner and customer services, which has been in progress since the beginning of last week. The focus is to ensure the integrity and robustness of the network and therefore Travelex is bringing systems up in a controlled and secure manner."

We are now at the point where we are able to start restoring functionality in our partner and customer services

However, the statement also asserts that "there is no evidence to suggest that customer data has been compromised". It adds that while "the Information Commissioner's Office (ICO) is aware of Travelex's position", it stops short of admitting that it has notified the ICO of a data breach.

The last point is important because even if no data has been purloined, surreptitiously used or published elsewhere that may not be sufficient to prevent the ICO from launching an investigation - and levying a swingeing fine.

In an interview with Computing, technology lawyer Jonathan Armstrong, a partner at law firm Cordery, pointed out that data does not necessarily have to be lost or stolen in order to constitute a data breach under GDPR.

"The European Data Protection Board (EDB) has been very clear that a ‘data breach' does not necessarily mean a loss of data, but simply data not being available. For example, the WannaCry virus that affected the NHS. Too many people don't understand that ransomware can be classified as a data breach," Armstrong told Computing.

The company could therefore still be in hot water with the authorities over the attack and the way in which it handled it.

All Computing's coverage of the Travelex ransomware outbreak:

• Travelex refuses to comment on whether it paid ransom to get its data back
• Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack
• Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data
• ICO: Travelex hasn't reported a data breach
• Metropolitan Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack
• Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
• Travelex ignored September warning over 'insecure' VPN server software
• Travelex takes down currency exchange website following New Year's Eve cyber attack