Are Travelodge UK selling data, or have they been hacked?
I received an email last night which suggests that Travelodge UK have either began selling their customer database, or have had their security compromised. The mail I received was:
From: Ena Walton To: <***@shepy.co.uk> Subject: Richard Shepherd Date: Wed, 22 Jun 2011 19:12:14 +0000 Good day. Don't miss exciting profession opportunity. Our Corporation is looking for energetic representative in United Kingdom to help us spread out our activity in the UK sector. Required Skills: - 18+ United Kingdom resident - Only basic knowledge of Internet & computer. - Free access to personal e-mail box - 2-3 free hours per day - Immediate replies on our written requests - good organizational talents. You can without problem combine our work with your primary work. Great income ability. Free instruction available. Those who are interested must be fair and business motivated. Operate only some hours per day. Everyone residing in the United Kingdom can be our agent. Our manager will e-mail you within several if you attracted.
The eagle eyed among you will notice that the subject is my full name, which is not what you would expect me to see in spam, which caused me to look a little closer and see that the email address to which it was sent is actually one that I have only ever provided to Travelodge UK.
I put out a tweet last night saying “Dear @TravelodgeUK I’ll not be staying with you again as you sold my email address to spammers, and it was a unique mail addy only you have.” and then this morning got a reply from @benjymous providing the email address for the CEO of Travelodge, and suggesting that I was not the only person with this problem.
Following suit from @zoeimogen I have sent an email to the CEO of Travelodge, stating the following:
Dear Sir, Yesterday evening I received a spam email from a company, which was interesting in the fact that it had my full name as the subject of the email, certainly unusual for spam. Looking closer in to this I notice that the email address it was sent to is an email address that I have only ever provided to Travelodge. This leads me to one of two conclusions. 1) You are in the business of selling customer details and databases 2) Your systems have been compromised and customer details have been exposed. I would therefore like confirmation if my details have been sold or provided to third parties or if the security of the data has been compromised. To the best of my knowledge I gave no such permission for data to be passed to a third party, and habitually tick the box to not be contacted for promotion or third parties when registering with a site. As the subject of personally identifiable data I have the right under the data protection act to know if my data is being handled correctly and in accordance with the reason for which it was provided, and nothing else. If the data was sold I would like confirmation that I authorised this to happen, and no doubt will be following this up with a data protection request to view all information held on me and how it has been processed. If you have suffered a security compromise and data has been obtained by unauthorized access I would like to know which data is stored in the systems that have been broken in to, such as address, billing etc. The mail address used to register with yourself was ***@shepy.co.uk I eagerly await your response. If i receive no reply within 72 hours I shall be raising a complaint with the ICO. Regards Richard Shepherd
Hopefully myself and others will receive a reply soon, and if so I will obviously follow up this post with an update.
UPDATE:
Well Travelodge has been thus far silent with consumers, but El Reg is reporting and also Travelodge say themselves “Sorry for the spam email you may have received. We have NOT sold any data. We’re currently investigating this issue and will update you ASAP”, which basically means this is either a leak or a hack, neither of which is very reassuring and confirms that someone has had unauthorised access to the data, the question now is to what extent and what data?
If you’ve seen any of this spam, there is a hashtag at #travelbotch you can monitor / join in to keep updated.
UPDATE #2:
More on this on another post at http://www.shepy.co.uk/blog/2011/06/travelodge-uk-hack-update-official-statement/
~Shepy
| This entry was posted by Shepy on June 23, 2011 at 10:39 am, and is filed under Hack, internet, news, Security. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
- Travelodge Selling Customer Info? « XSReviews
- Travelodge UK hack update & official statement
- Travelodge hacked, investigating | Stop Spam Tips
- Travelodge hack, investigation continues… | ForHacSec.com
- Thinking of staying in a Travelodge this weekend? Don’t bother!
- Travelodge blames ‘vindictive individual’ for email database breach | Stop Spam Tips
- Travelodge blames ‘vindictive individual’ for email database breach | Bob Blog
- Latrisha Vachon
- clover by the park
- Kataskeui Istoselidon
about 11 months ago
Yesterday I received an almost identical email to yours, with my name in the subject line, to an address which I had only given Travelodge. So yeah, definitely something dodgy going on…
Neil
about 11 months ago
Snap.
For anyone in the same boat, please e-mail Anne at customer.services@travelodge.co.uk who is collating the information for their IT department and handling the matter. They DO seem to be taking it very seriously.
For updates there’s a twitter tag on #travelbotch ( http://twitter.com/#!/search/%23travelbotch ).
Jules
x
about 11 months ago
I registered with Travelodge on the 15th of June 2011 and didn’t the spam. Either they didn’t spam everyone, or the leak happened before that date.
about 11 months ago
Guessing they didnt spam everyone, as a follower on twitter booked last week and received the same email:
http://twitter.com/itsleesimpson/statuses/83879852490493952
~Shepy
about 11 months ago
Add me in to that list of the spammed as well! And I haven’t booked/stayed at a Travelodge for some 18 months or 2 years.