Re: ICO hints that GDPR appears to be optional
Travelex are (currently) claiming no data has been exfiltrated. *If* that is true, there is no breach to be reported to the ICO.
If it turns out that a bunch of IP addresses has been exfiltrated, it may be possible to argue that "people's right and freedoms are not at risk". If email address, password hash and salt have been exfiltrated ... not so much.