There’s been a few developments related to my earlier post about the possible Travelodge compromise. Firstly, it’s been covered by The Register so is attracting some interest. Travelodge themselves have also confirmed via Twitter that they haven’t sold any data, which makes it pretty clear they’ve been broken in to.

I’ve also had a reply from the CEO of Travelodge. It’s a bit light on content:

Thank you for your email regarding spam e-mail you have received. I am sorry you have had the need to write to me, but appreciate you bringing this to our attention.

Please be assured we are taking this matter most seriously. I attached a copy of a letter to our customers, for your information.

It’s not clear who the letter has or is being sent to, but it was included as a PDF and the text reads:

Our main priority is to ensure the security of our customers’ data, which is why I wanted to make you aware, that a small number of you; may have received a spam email via the email address you have registered with us.

Please be assured, we have not sold any customer data and no financial information has been compromised.

All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements.

The safety and security of your personal information is of the upmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.

If you receive an email similar to the one detailed below, please delete it as spam.

They’ve included a copy of the original spam – I’ll not reproduce it here. The letter closes:

If you have any questions regarding this matter please email: andrea@tra…dge.co.uk. A
further update will be given, when we have completed our investigation.

At least they’ve responded quickly to this as companies can often take days or weeks. The lack of any detail is understandable, given that it’s still early days and they probably don’t know what happened themselves yet – but then, how can they give us assurances that financial data is safe if they do not know what happened…? The mention of PCI is a little superfluous, given that PCI-DSS is the baseline standard required by banks before you’re allowed to handle any credit card information. It’s no guarantee of security.

@PogoWasRight is on the right track, asking Travelodge: “Do you handle email marketing in-house or do you outsource to an email service provider? If the latter, who?”. We’ve seen cases of email marketing providers getting themselves broken into recently and Travelodge may be another in a long list.

Yesterday I received a spam email. Not unusual, but note the destination email address:

Subject: Zoe OConnell
Date: Wed, 22 Jun 2011 10:58:33 -0400
From: Lorraine Ackerson @lt;lorraineackersonas113@hotmail.com>
To: <zoe-travelodge@****.co.uk>

Greetings.
Don’t miss exciting business chance.
Reputable agency is looking for energetic worker in United Kingdom to help us expand our activity in the UK sector.

Necessity:
– 18+ United Kingdom resident
– Only operational knowledge of Internet & computer.
– Free access to personal e-mail box
– 2-3 free hours per day
– Fast replies on our written tasks
– Excellent organizational skills.

You can without problem combine our work with your primary work.
Great income potential. Free study possible.
Applicants must be honest and commerce motivated. Operate only few hours per day.
Everyone located in the United Kingdom can be our representative.
Our manager will e-mail you within few hours if you attracted.

—————-
Top News: taylor honored for boosting antelope island.

Note that it’s zoe-travelodge@… (You can guess what the full email is but I don’t want to make life too easy for spammers to harvest addresses) My mail system ignores anything after the dash and just puts it all in my mailbox, so that I can filter mail by source more easily and also spot who has been selling email addresses.

The spammers also knew my full name. And I’m not the only one in this position as several other users on twitter have complained of the same thing. I’ve just emailed the Chief Executive of Travelodge, Guy Parsons, (Hat tip to @benjymous for finding his details) to ask exactly what was stolen:

Dear Mr.Parsons,

Yesterday, I received spam email to an email address that has only ever been used to register on the Travelodge site. This was clearly not just someone making up random addresses as the email was specifically to zoe-travelodge@****.co.uk and the spammer knew my full name. I am not the only one to have experienced this as since last night at least half a dozen other people who also use unique addresses for registering on web sites have complained about exactly the same situation on Twitter.

It would appear likely, unless Travelodge are in the habit of selling on personal details to unsavoury third parties, that your site has been compromised. I would be grateful if you could confirm that this is the case and also what other details were stolen so that those affected can take appropriate action – was this just names and email addresses or were payment details and postal addresses compromised too?

I shall let people know if I get a reply.

Update at 1315: Travelodge UK, via twitter, have stated: “Sorry for the spam email you may have received. We have NOT sold any data. We’re currently investigating this issue and will update you ASAP”