Just what I needed
a spammed reminder of a night in hell.
Travelodge has told customers who've received spam email that the company has not lost their credit card details, which is nice. The letter said: Our main priority is to ensure the security of our customers' data, which is why I wanted to make you aware that a small number of you may have received a spam email via the email …
a spammed reminder of a night in hell.
Quite prompt and succinct admission.
Not excusing the security failure - but less bad than some others
Why do suppliers store customer credit card data?? Only the credit card companies should have any credit card details stored.
They do this because some BA believes that if want convince (i.e. not having to re-enter card details,) rather than security. Additionally card details (though again which card details are relevant,) for tracking usage of cards in the case of fraudulent usage or charge backs.
That said, card details should be stored in a PCI-DSS compliant store, so there should be no way of accessing the card data via the payment solution, just a reference token.
Any site which takes your Credit Card data stores your data 'to make your return visit much easier'
The ability to remove your own data with the click of a button seems to most logical step but doesn't encourage your customers to return. Clearly trying to tie you into their brand takes a much higher priority over customer data security.
Buy a Kindle from Amazon and you never have to input you data again. All your eBooks purchases are automatically charged to the same card. Found this out when I bought a neice a kindle for her birthday. Helpful.
No good if your PCI-DSS compliant data store gets compromised too.
Far less likely than someone getting an SQL injection past your badly coded web front end but still possible.
You may also want to take a shufty at https://www.amazon.co.uk/gp/yourstore/pym/cc/ref=ya__7 and https://www.amazon.co.uk/gp/advertising/oo/ref=ya__64
Turn off "1 Click" here: https://www.amazon.co.uk/gp/css/account/address/view.html/ref=ya__32
Delete credit cards here: https://www.amazon.co.uk/gp/css/account/cards/view.html/ref=ya__29
It's not great, but it's doable.
Both of these are listed on the "your account" page, which is linked to at the top of every page on Amazon.
the gift that keeps on giving....
Well, yesterday you said that about my email.
Who says its a hack, as yet it could be any number of things, data stolen by employee, badly discarded details (disk, printout, laptop etc), lost usb stick.... but hell lets go for the headline....
Why do they assume only "a small number" of people have been affected? Is it because only a small number of people reported this to them, which is because only a small number of obsessive geeks are in a position have spotted the link between the spam and Travelodge, cos only very few, geeky people uniquely tag each email address they hand out to 3rd parties? There's been at least 4 of us rare OCD geeks who spotted the anomaly, the vast VAST majority wouldn't have scanned their spams with a fine tooth comb or MUCH more likely wouldn't be using or able to use such unique e-mail address so simply couldn't have known - ergo the size of the breach must be MUCH bigger - which doesn't fit with their quote of "a small number".
When they stop stating things they can't substantiate, then I'll feel comfortable trusting the rest of the statement they make.
Travelodge have had 2 sites on the go for a while now. The new one went up for a week earlier this year but got pulled down and replaced by the old one (on www2.travelodge.co.uk). It seems like the new site has gone back online recently.
Any clues as to which one was compromised?
Just one week after I actually sign up and book online for the first time...
A spam email, from someone called "Emma Toppa" spewing crap about some company that was opening in the UK or something. Of course I ignored it.
But thanks to owning my own email domain name, and the sometimes tiresome practice of using different return names for companies I register with, if the worst comes to the worst I can always block "firstname.lastname@example.org" at the gateway, and all sorted.
The fact that the new site gives a Java error when you give it malformed input isn't very encouraging
"Error 500: java.lang.NumberFormatException: For input string: "zzz""
Furthermore it seems to fall over (perpetual timer bar) when you do a search for a hotel with a double quote in the hotel name box.
All in all it doesn't exactly inspire confidence!
"Buy a Kindle from Amazon and you never have to input you data again. All your eBooks purchases are automatically charged to the same card. Found this out when I bought a neice a kindle for her birthday. Helpful."
From what I recall when I bought mine they do send you an email to explain that they will set it up on your Amazon account and that if its a gift for someone else then they give you a link to a page where you can sort this out.
However, the fact that its set up onto "1-click" purchasing is something I'm still not entirely happy about ... I'd much prefer it if they allowed an option to require a password before anything gets purchased.
Stayed in a Travelodge in Newcastle last year.
Had to make the extra bed ourselves (apparently customers like to make it their own way)
No soap or hair/shower product provided to reduce costs.
Worst bed I've ever slept in.
After the first night, cancelled the next 2 nights, and booked in with Theophilus P. Wildebeest AKA the Purple Throbbing Monster. Not a lot dearer, but definitely a notch above.
I may be paranoid but "financial data" by itself, at least to me, appears possibly to refer only to the company's financial data - not cardholder data due to them "including" it with financial data in the PCI paragraph. PR/Legal probably approved that statement. To be fair, if I had customers reporting data loss like they do, I wouldn't definitively say cardholder data wasn't exposed until I had completed log and config reviews, preferably with an outside contractor double-checking everything. Maybe not even then.
Important distinction: Not having found evidence that a breach occurred isn't the same thing as not having a breach. If customer complaints were the first incident indicator they noticed... that doesn't give me a warm fuzzy about their security monitoring.
Where did this data come from?
Shouldn't have employed those two for the TV advert
They haven't taken their old site off line. I wonder how much poor code with direct access to the databases (via the login authentication mechanism) is still freely available to anyone with some brains?
http://www.travelodge.co.uk/index.html redirects to http://www2.travelodge.co.uk/index.php
http://www.travelodge.co.uk/homepage.html to get to the old site.
Also, lets make it reveal their webserver and TCP port? Simple..
No inspiring some old code doesn't have an exploit now is it.
I stayed in Travel Lodge 4 years ago and they we still storing my details on their server.
There data retention policy needs a serious looking at. Hopefully the credit card I used with them should have expired in this time but I have no way of knowing as it was so long ago.