The critical cyber event currently affecting Travelex could yet be an existential one for the company. Their operations have now been ‘out of commission’ as it were for more than ten days and still show no sign of being resolved. They appear to have got themselves in a stand-off with the ransomware gang holding them hostage, with the pressure on them to resolve the situation increasing every day, which surely plays directly into the hands of the hackers.
Travelex seem to have taken the unusual route of switching all their systems off, so that the hackers cannot inflict any further damage or steal any further information and are working as fast as they can behind the scenes to track down and resolve the issue without paying the reported £4.6million ransom demand. They have neither formally informed their customers of the risk to their data nor reported a data breach to the ICO.
This does seem to be a very high-risk course of action that is currently costing them much more than the ransom demand in terms of lost revenue and damaged reputation. The best advice is of course not to pay a ransom demand and at the same time to use backup data sources to restore your operations. It is not yet clear why Travelex has been unable to do this.
The position that Travelex has taken has left their customers and other stakeholders in limbo. There are reportedly up to 17 UK banks and other financial institutions that cannot provide foreign currency to their customers because their own systems are so tied to Travelex. This highlights one of the prevailing issues in our increasingly interconnected world, someone else’s actions can impact significantly on your company even if you have no say over the matter.
The key objectives in handling any critical event are to manage your stakeholders properly whilst you speed through a resolution of the crisis as quickly as possible. Unfortunately for Travelex, they seem to be doing neither. This may be beyond their control at this point, but it should be a lesson for anyone else who has customers, suppliers or employees dependent upon them.
Always have back-up data, always have a response plan and always have a means of communicating effectively with your stakeholders when a crisis hits. A unified cloud-based critical communications platform like Crises Control is independent of your core systems so if they are frozen or down you can still communicate. And it can also host your response plans and stakeholder contact details, so that you can access these also.
You can never guarantee that you will not be hit by a critical event, but you can make sure that if it does happen you are ready to respond to it as quickly and effectively as possible. After all, the only thing worse than planning for That Day is explaining why you didn’t when That Day comes.
MD, Crises Control