There’s been a few developments related to my earlier post about the possible Travelodge compromise. Firstly, it’s been covered by The Register so is attracting some interest. Travelodge themselves have also confirmed via Twitter that they haven’t sold any data, which makes it pretty clear they’ve been broken in to.
I’ve also had a reply from the CEO of Travelodge. It’s a bit light on content:
Thank you for your email regarding spam e-mail you have received. I am sorry you have had the need to write to me, but appreciate you bringing this to our attention.
Please be assured we are taking this matter most seriously. I attached a copy of a letter to our customers, for your information.
It’s not clear who the letter has or is being sent to, but it was included as a PDF and the text reads:
Our main priority is to ensure the security of our customers’ data, which is why I wanted to make you aware, that a small number of you; may have received a spam email via the email address you have registered with us.
Please be assured, we have not sold any customer data and no financial information has been compromised.
All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements.
The safety and security of your personal information is of the upmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.
If you receive an email similar to the one detailed below, please delete it as spam.
They’ve included a copy of the original spam – I’ll not reproduce it here. The letter closes:
If you have any questions regarding this matter please email: andrea@tra…dge.co.uk. A
further update will be given, when we have completed our investigation.
At least they’ve responded quickly to this as companies can often take days or weeks. The lack of any detail is understandable, given that it’s still early days and they probably don’t know what happened themselves yet – but then, how can they give us assurances that financial data is safe if they do not know what happened…? The mention of PCI is a little superfluous, given that PCI-DSS is the baseline standard required by banks before you’re allowed to handle any credit card information. It’s no guarantee of security.
@PogoWasRight is on the right track, asking Travelodge: “Do you handle email marketing in-house or do you outsource to an email service provider? If the latter, who?”. We’ve seen cases of email marketing providers getting themselves broken into recently and Travelodge may be another in a long list.