Travelodge is investigating its IT systems to discover how customer email addresses have gone astray. The Reg was contacted this morning by a reader who was receiving spam emails to a unique email address he had only given to Travelodge. Several other customers have blogged of similar experiences, here's Shepy's post on the …
I'd also like to know how an address I've only ever given to the Times is now receiving copious spam. Respect to Travelodge for at least investigating, unlike Murdoch's lot.
Unless the address was particularly unique, it is possible that spammers were automatically trying lots of randomnames@givendomainname
It is often interesting to delve into mail server log files and see who is trying to send what and to whom.
Yes - very useful. Anything that appears in the logs often get added to our honey pot list and further missives cause the senders to be added to the banned IP list. There's no need to seed the alt.sex newsgroups any more ... it's jolly decent of the spammers to relieve me of that task.
Lenny Henry's favourite motel?
I think you'll find Lenny Henry promoted Premier Inn, not Travelodge.
...maybe he's implying that whilst Lenny might advertise Premier Inn, he'd much rather actually stay at Travelodge.
(That's always bothered me. Travel -odge? Trave -lodge?)
Lenny Henry's favourite motel chain
No, he's actually a purple Premier Inn kinda guy.
Travelodge is way, way too cheap - just look at what happened when he used to stay there, before he discovered the delights of the overpriced Premier Inn!
A copy of spam received
Just checked my spam folder. Surely enough...
from Bernarda Mcgee ffMcgeeBernarda@hotmail.com
to travelodge@<my personal domain>.com
date 22 June 2011 19:04
subject <My full name>
This is unique business opportunity.
Reputable agency is seeking for energetic worker in United Kingdom to help us start our business in the UK sector.
- Full age United Kingdom resident
- Only operational knowledge of Internet & computer.
- Free access to personal e-mail box
- 2-3 free hours per day
- Fast replies on our written tasks
- good organizational skills.
You can without problem combine our work with your primary work.
Admirable salary ability. easy study available.
Applicants must be intelligent and business oriented. Operate only some hours per day.
Any person residing in the United Kingdom can become our representative.
Our manager will contact you within several if you attracted.
Breaking News: holy spirit graduate aj holland to sign with braves.
RE: A copy of spam received → #
I've had something similar, and I've used Travelodge before as well.
It raised an eyebrow as I don't normally get spam emails listing my full name...
Funnily enough I had exactly the same email to email@example.com also.
In fact word for word.. Obvious they have got my address too.
Might have been nice for Travel Lodge to email it's customers and advise...
"Hotel chain's customers aggrieved"
...yeah, but to be fair they mainly were before the hack.
After a series of incredibly bad experiences with them I avoid them wherever I can. Lenny Henry's favourite lot are much better, and often not much more expensive.
On the other hand ...
... my wife and I have rarely had a bad experience at a Travelodge, which we use fairly regularly despite having one of Best Western's regular user cards (whatever it is called).
Travelodge is like McDonalds' - I know what I am going to get every time, regardless of location. The standard will be basic, but it will be clean and tidy(ish), and not cost a lot (usually, with sufficient advanced planning). Checkouts are sufficiently late for a lie-in I have time, and check-in is early enough to make getting settled in before dinner easy.
Disclaimer: I have no connection with Travelodge in any way, and this is not a solicited comment - just putting the opposite view to dotdavid's.
Travelodge want your spam
If you've received spam, send it to firstname.lastname@example.org as they are collating as much information as possible. Remember to include headers and message source.
I've just phoned their CS number (01844 358500, they're quite busy at the moment for some reason) and the CS team are all over it - a credit to them, at least they've not got their heads in the sand.
That will be a wake up call
for their security.
This happens quite a lot.
I've had my own domain for many years, and as I use a catch-all mailbox, I took to putting a suffix onto my name so I can see when/if an address leaks into the wild.
All in all it hasn't been to bad. El Reg hasn't leaked (which is nice), but a few online retailed I had dealings with have managed to get onto my "naughty" list. Which just means I create a dedicated mailbox for that address on the server and pipe them all into the trash. It also means I don't deal with that company again.
I invoke an identical process and have had similar experiences on addresses linked to
and BirdsEye's former promotional site bemortgagefree.co.uk
The majority was spam but interestingly the one sent to the Boffer address was from a Boffer type competitor I had never heard off. Boffer denied anything untoward and deleted my forum posts on their site when I asked if others had received similar experiences.
Maybe a coincidence
But has anybody else who had the Travelodge spam also had one of those Indian "your computer is infected" phonecalls today ("Alex" from "MS Tec World" in case anybody's interested)? Where they get you to go into the event viewer and tell you that warnings/errors mean you're infected. It occured to me that I rarely give out the number this lot called on, and Travelodge would have been one of those companies that had it.
Re: Maybe a coincidence
Ah, my favourite callers... Kept one of those busy for almost half an hour the other week. I did enjoy myself.
They even called back the next day, but I didn't have time to play that day. Now they don't call... I miss them and feel lonely and unloved.
Pity really, because I've now got a VM all set up and ready to run their dodgy remote access software (plus it has a few manually induced "faults" to keep them entertained).
Maybe I should give my details to Travelodge so I can get back in contact with them :-)
Incidentally, the last time they called was a couple of days after I had been dealing with an Talk-talk's Indian call centre - coincidence?
I wonder if we're looking at the wrong thing here...
There is - in the vast majority of cases - absolutely no need to maintain an email address, let alone any personal data - once the original booking has completed. On a standard purchase of goods, there's no need for it at all - and yet they're not only grabbed but you can't buy stuff without handing over an email address. Hence many of us have dozens of throwaway email addresses...
Here's a possible solution: When you first make a booking, or when you first purchase something, *they* send *you* an email with a one-off passkey. They then destroy your email details.
Thereafter, the passkey enables you to track a booking or purchase, but without the necessity to store your email address. The passkey alone provides access to your account, but that's it.
Of course, if they *don't* have my email address, they wouldn't be able to send me weekly offers to spend a weekend at parts of the country I never visit, but I'm sure I can live with that... and be honest: how many people actually respond to offers even when they've bought services or goods from the company in the past?
I use TrashMail for the same purpose.
I very rarely use my real address for buying anything. I create a disposable address with the TrashMail add-on for Firefox with an estimate of how many e-mails it might need. It is easy to correct later if necessary. It seems to work, because I receive very little spam.
Be all modern and fancy like
Appending a + suffix to your email address comes in very handy!
e.g. email@example.com will be delivered to firstname.lastname@example.org, handy for filtering and fingering. Ahem.
...too many sites (incorrectly) reject emails with a + in them, so I have to create ANOTHER throwaway address!
That's all well and good...
I use a dot
I've got some custom config stuff on my mailserver that lets me use "." like that - so email@example.com - since there's no ambiguity with the "." it doesn't upset badly built sites
Only one email address leaked
I noticed this today, as it was addressed to the name of someone I booked on behalf of once, using a firstname.lastname@example.org address. So it's not just the email address, but also the account holder name they've pilfered.
I also have another account with them using email@example.com but no email has been sent there (so far).
Google identified it as spam, so unless they've not shown me the 2nd mail then it could be that it's an 'old' dataset that got taken?
travelodge@yourdomain is hardly unique.... a quick dictionary test would find that or just a random spam email to obvious company names as so many people use something like that.
completely unique actually
And reasonably conclusive in my case.
I have 2 accounts in my name, with 2 different email addresses. I am receiving spam to both addresses quoting my account name.
I wonder if any credit card data is kept by travelodge?
AC, travelodge@yourdomain may not be unique, but I managed a misspelling in my unique tag for Travelodge, and in my case the e-mail was to this misspelt tag and nothing to the correct one. Plus they seem to know everyone's first and last names. They've definitely done a bad murde^Wfail.
Except the email to travelodge@mydomain included my full name - something random spam just to an email address would not contain.
List of customers revealed
And they all coincidentally turned out to be "Mr and Mrs John Smith". Don't Travelodges exist purely to facilitate extramarital affairs?
Just found it in my spam folder as well and passed it on to CS at travelodge.
see also: pixmania
I had one recently from pixmania (they look french but they are part of Dixons)
That one also had not just an email address (pixmania_nnn@mydomain) but also used my correct forename and surname (which are not obvious from the email address).
There's a lot of it about. What is the appropriate response, legally speaking?
I emailed my spam to the CEO along with a ICO complaint form and copied in firstname.lastname@example.org. Dunno whether that's appropriate, worthwhile or a waste of time!
I got a spam email yesterday, to my travelodge only address. More worryingly it also had my full name as the subject, which leads me to think that they have been compromised (and what else).
Change of passwords all round!
I emailed them and got a canned response saying "Thanks for your feedback, but we can't respond to all comments" I responded saying I wasn't leaving feedback, and wished a response about the security of any personal data they hold on me or I'd be taking it up with the information commissioner.
The Spam email came from (I assume false) Hotmail address, but seems to have been routed from a .ru address.
My, you've had a sheltered life.
Paris, she's not low rent
And another one..
Why can't these idiots realise that running an online presence is a bit more complex than 'corporate branding' and dumb software that pretends to be an 'automated assistant'? Some years ago, when involved in running a major online service - I was able to watch the logs of our external facing servers and proxies. Direct and indirect attacks, password attacks, brute forcing, dictionary attacks, SQL injections. The bad guys are persistent, and smarter than the idiots who think that outsourcing at the lowest possible price is 'the best way' to run an E-commerce service.
I've received the same spam, to a unique address created a month or so ago - for a stay in a travelodge a couple of weeks ago. Like everybody else, it was personalised with my full name. My stay with them was booked and paid for online - so who knows if my credit card details have headed east too. Its about time the ICO started to hit these muppets hard. Fine them (or withdraw their online payment collection facilities) for having insecure systems, inadequate Intrusion detection, and poor or non-existent independent penetration testing. Hitting them financially is the only way that they'll learn the data protection lesson. I think it's about time a few very public examples were made, to concentrate the minds of the rest...
"withdraw their online payment collection facilities for having insecure systems"
I do like that idea, but surely it'll never happen because it means the card processors will lose their middleman's fees?
Interestingly, I have not received any spam apart from the usual stuff from Travelodge, the last being on June 16th.
I guess GMail is doing a good job of blocking it.
Thankfully, I do not use the same password on any sites so that won't be an issue and any credit card associated with Travelodge will have long since expired. I used Travelodge once - never again. It was a hole.
New rule for all computer security journalists...
As of about a fortnight ago, ALL computer security stories must include at least one reference to LulzSec, regardless of whether there is any indication they were actually involved or not. Or at least, that's what it seems like lately.
Not too surprised considering their IT dept recent form
Considering all the problems Travelodge have been having recently with their brand new site that lasted a week back in February before being pulled due to half of it not working properly (really well tested)!
Then they had their £10 sale which took their web site offline all day due to not figuring out that maybe, just maybe it might generate a little more traffic than normal, giving those tech heads who saw it a bit more concern over their IT dept skills or budget.
Would be interesting to know if the people who got this spam last booked via the old or new web site as that might give a clue as to exactly what got hacked (if anything) and who is to blame.
AC due to some connections to Travelodge.
Not that they don't say that email addresses were not acquired by hacking.
It must be the 'hackers'
I've said it before and I'll say it again. The sheer number of corporations hit by 'hacker' attacks in the last six or seven months, compared with previous years, just seems improbably large. And while some are no doubt genuine external penetrations, I still have this nagging feeling that some individuals in some companies, with or without the backing of their superiors, may be using 'hackers' as an excuse to sell customer data for profit. I have no evidence of course, and I wouldn't even dare suggest which ones are probably genuine and which might be deliberate. I just have a very strong gut feeling that there are shady dealings afoot. The numbers simply don't feel right.
And remember, those of us who use unique e-mail addresses for each recipient are a tiny, tiny minority of the customer base, even for technology companies and gaming websites. For someone like Travelodge the percentage will be even smaller. The vast majority of people who end up getting spammed as a result of this situation, be it penetration or otherwise, will be none the wiser as to why. So for any company or individual who WAS selling the customer database, the rewards would be great and the risk of detection relatively small.
No Need to Hack
Some years ago I stayed in a Travelodge near Wales and found the previous three years worth of credit card receipts and business invoices being stored in boxes at the back of my wardrobe.
It was an ID theft nirvana.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'