Out-Law / Your Daily Need-To-Know

Travelex cyber ransomware case shows importance of service contracts

Out-Law News | 10 Jan 2020 | 2:32 pm | 2 min. read

Businesses that rely on others for providing services to their customers should review their contracts with their service providers in light of the cyber attack on foreign exchange company Travelex, an expert in cyber risk has said.

Ian Birdsey of Pinsent Masons, the law firm behind Out-Law, said the terms of such contracts will dictate whether the businesses have any recourse against their service provider in circumstances where services are disrupted due to a cyber event.

Several banks have reported that their foreign exchange services have been impacted by Travelex's decision to take its systems offline in a bid to contain a software virus.

A group of hackers known for their use of ransomware have claimed that they are behind the attack, according to the BBC. The group said they managed to access Travelex's systems and download customer data and that it wants the company to pay it $6 million.

In a statement posted on its website, Travelex said it had taken its systems offline as a "precautionary measure" and to "prevent the spread of the virus further across the network". It said it is "working to restore our systems and resume normal operations as quickly as possible". However, Travelex said that its ongoing investigation had yet to find evidence that customer data had been compromised in the attack. The UK's Information Commissioner's Office (ICO) confirmed to Out-Law on Friday afternoon that it has not been formally notified of a data breach by the company.

Travelex said it is working with the UK's National Crime Agency (NCA) and the Metropolitan Police and that both bodies are conducting criminal investigations.

"This case is the latest high-profile example of the ever-present threat of ransomware attacks," said Birdsey. "Such attacks carry risk for businesses in a range of areas, from legal and regulatory risk of non-compliance with requirements on data privacy, to the reputational damage that can arise from the impact on customers from disruption to services or from having an ineffective, unprepared or untested customer engagement and public relations strategy for cyber events."

"In today's world of increased integration of technology and data, there is a risk that many businesses will be exposed where ransomware attacks are carried out on third party service providers. It is therefore also imperative that businesses anticipate this risk and seek to reflect this in service level agreements and other terms of their contracts regarding liability with a view to being able to obtain redress for any impact caused to their operations and services stemming from cyber attacks on service providers," he said.

Birdsey said: "UK courts have already demonstrated their willingness to support businesses in their attempts to identify those responsible for cyber attacks and shut down their operations – a number of cases have already come before the UK courts where injunctions have been issued against 'persons unknown', including where service has been effected via email, and where courts have permitted hearings to be conducted in private and restricted the extent of confidential information made public about such cyber attacks."

Birdsey said there are various pre-emptive measures businesses can take to help them restore systems and data targeted by ransomware attacks.

"For example, businesses can protect themselves from being cut off from systems and data by operating independent, segregated back-ups which they can fall back on where primary systems are rendered unavailable in an attack," he said.

In a statement, a spokesperson for the ICO said: "We are in contact with Travelex and giving advice on potential personal data issues following the recent ransomware attack, the company has not reported a data breach."

"If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms. All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO," they said.