Travelodge is still trying to find out who got into their customer database and snaffled names and email addresses. The budget chain told the Reg it has asked outside contractors to go through its systems to try and find the culprits. A spokeswoman said: In the last 24 hours, we have been conducting a comprehensive …
Anyone else here reckon they might have sold (part of) their customer database to the spammers, and now that they've been found out, are trying to blame a break in?
It doesn't have to be that
Travelodge sends out frequent targetted (junk) mail to people who've stayed in their hotels. Presumably these are based on particular demographics of customer, run through a database query, turned into a list and then fed into some automated mailshot program. The marketing people handling these lists probably aren't clued in about security so there is a lot of potential here for a list to leak out given the frequency of emails and the people doing it.
Maybe they did get hacked, but as likely someone left a list on a memory stick, or emailed it out to some external email address, or they gave it to a 3rd party who goofed in a similar way. etc.
We weren't..... Honest......
So they have no idea what happened but "We can further confirm no financial data has been stolen, accessed or compromised. Really? If they have no idea where the email addresses came from can they really say this and be certain of it?
Well I'm very concerned......
Very concerned indeed.
What if someone leaks that I've stayed in a Travellodge?
OMG we've been haxxord!!1!
Funny how after years of denials, all of a sudden it's ok to admit you've been hacked, it's the new dog ate my homework excuse for corporate incompetence.
I wonder if they use SilverPop
They've been hacked before:
e-mails are like postcards
Something to bear in mind is that when Travelodge or anyone else sends out a batch of e-mails, they are probably reliant on a whole bunch of intermediate servers that sit between them and the end user. The internet being what it is.
This being the case, any compromised server along the route could potentially have access to any of those e-mail addresses and the names of recipients.
bulk email resenders have been targeted before
In October of last year I received spam to a number of semi-private mail aliases each used in connection with only a single web site. Eventually, I determined that each of these sites had used ThinkSend (aka createsend.com aka thinksend.com) so send their legitimate opt-in marketing emails at various times during 2009. One of the organisations followed up on this and confirmed that ThinkSend had been compromised during that timeframe: http://www.campaignmonitor.com/blog/post/2852/
More recently, I have received spam targeted at an address only known by me and laterooms.com, but their investigations drew a blank on that one. Thinking about it, I wonder if any data sharing goes on between laterooms and Travelodge?!?
source of emails
I recall a tourist hostel that employed casual night staff who were given access to the reservations system through a restricted access account. Unfortunately you could have unrestricted access to the database through a mapped drive where full customer details, Credit Card details etc., were stored entirely in the clear. The usernames and passwords for access to the reservations system were also stored unencrypted in a table. The manager used the same password on the electronic door system - so you could create your own master key ..
Not Mr and Mrs Smith
They should have got suspicious when one of Little Bobby Tables' relatives booked in under his full name.
I only got the "if you got spam" message from them
which frankly, in the absence of any spam which I could detect claiming to be Travelodge, was spam.
"Travelodge still doesn't know who hacked it"
But they do know no credit card records were taken?
@Hardcastle the ancient
Yes they quite possibly do, because companies regularly offload credit card details to a more secure PSP and instead use a one-way hash to process transactions. They don't have to retain the original details to use them.
That will be ...
"Our main priority is to ensure the security of our customers' data"
Hmm, clearly their main priority isn't about providing hotel rooms - then again, having stayed at some travelodges...
Maybe it was that Peggy character from the credit card company.
I understand they've been losing lots of customers to the barbarians.