MoneyGram data breach contributes to U.K. payment losses | PaymentsSource

What was supposed to be a routine renewal between MoneyGram and the U.K.’s Post Office has turned into a war of words that demonstrates the importance of managing cybersecurity risks.

The postal service on Sept. 30 notified MoneyGram that it was suspending service, one day before an existing payment contract was set to expire. Both sides had been negotiating a 12-month extension since June. The postal service cited a recent MoneyGram data breach as a reason for the lack of renewal.

MoneyGram in late September said it had suffered an outage. The extent of the outage was unclear, though TechCrunch reported it impacted the U.K. postal service and the Bank of Jamaica. MoneyGram, which has users in more than 200 countries and territories, did not respond to a request for comment. 

In a release on Tuesday, MoneyGram said that on Sept. 27 it determined an unauthorized third party accessed personal information of an undisclosed number of consumers between Sept. 20 and Sept. 22. The company’s investigation is in the early stages and all systems are back online, MoneyGram said. The types of information accessed include names, contact information such as phone numbers, email and postal addresses, Social Security numbers, national identification numbers, copies of government identification documents, payment information, and in some cases information about fraud investigations. 

The U.K. postal service referred questions about the matter to a letter that it sent to MoneyGram.

“The contracting process was in the final stages when, unfortunately, MoneyGram suffered the cyber attack,” the postal service said, adding it offered to extend the current contract for a shorter period to enable both parties to prioritize service renewal. “This short extension would have also enabled us to understand any longer-term impact of MoneyGram’s cyber incident for our customers, postmasters, and partners as this challenging situation continues, Unfortunately, MoneyGram has not accepted our offer, and therefore our contract with them will end,” the postal service said, adding it was still committed to continuing the partnership.

MoneyGram told ComputerWeekly, which broke news of the U.K. contract dispute, that it is “disappointed to see how the UK Post [Office] has portrayed the situation … our cyber security experts have determined that the incident has no effect on our agents’ systems. It is unfortunate that the Post Office has taken this stance after our trusting partnership of over 25 years. We sincerely hope that we further the dialogue with the Post Office and can work with [subpostmasters] in the future.”

It is unusual that the Post Office went public with its reasons for terminating the contract, according to Aaron McPherson, principal at AFM Consulting. “These things are usually handled more discreetly. It depends on how severe the cybersecurity incident was, and how easy it would be to secure another vendor … it does show the importance of handling cybersecurity incidents well. Evidently, MoneyGram really angered the Post Office with its response to provoke such a public reaction.” —John Adams