Travelodge UK has confirmed that a customer database security breach was behind the recent run of spam emails to its customers. Customers complained in June after receiving spam messages punting suspicious-looking "work-at-home opportunities" to email addresses they only ever used to make reservations with the hotel chain. …
I don't care who took your data or how they did it - just take better care of it.
I didn't want to give you my details in the first place, but you insisted, and wouldn't let me book the wretched room until I did.
Incidentally I only came to your urban hell-hole, with its miserable staff and extortionate price, because I had to catch a plane at 06:00.
If you think that any number of email "offers" can persuade me to stay there again, then you need new marketing people.
To be fair
At some point you have to let human beings access the data. All any company can do is limit the risk, limit who is permitted access to the data, advise their staff & partner firms how to handle it, store it in an encrypted form, audit for compliance. But if someone is criminally inclined they steal it no matter what.
'A small number of users'
I do wish that companies would stop trotting this out in all their press statements - as far as I'm concerned I couldn't care less if it's .001% of their customers or 100% - if I'm in the affected list then as far as I'm concerned I'm 100% affected.
Small number - really?
More to the point is it a small number of users who had there details stolen or just a small number of users who have complained?
Most people use the same address on every site so have no clue where the spammers got their email from.
Not the worst
They may seem to be dragging their feet a bit but from my point of view they've been a lot more open about this breach than others like, say, Pixmania who had an amost identical breach just the week before.
Seems reasonable enough
..if it turns out whoever did this was at the time being paid to work with this sort of information then it looks as though they're doing their best to get to the bottom of it.
"I would like to see a full statement of who did it, why and how, followed by what they are doing to prevent a repeat"
Easy tiger! What's wrong with assuming that if/when they find out you will too eh?
Have a good weekend everyone - Beer'o'clock in my part of the world now so toodle-pip!
What a strange phrase. That means that their experts are still going with no hope of achieving a result, Flying Dutchman like - rather like a government IT project. Perhaps they should have worked thoroughly instead.
"financial ...information is held on a standalone ...server"
So, Travelodge, care to embellish on what the point is of having a standalone server storing payment data?
How does the information get into the standalone server?
How can you do anything with it once it's on a standalone server?
And don't forget it's also an "off site" server...
... So not only is it not connected to anything, it's impossible to get to. Right?
Reminds me of ..
.. when I received a marketing email from an Irish Travelodge hotel back in 2009. My email address was in the To: field along with several hundred other addresses... I emailed the sender the following message to which I never received a response. In retrospect I probably should have referenced Data Protection Law in order to elicit a response.
I would like to strongly complain about this email being sent in the form that it has been. Regardless of the fact that this is an unsolicited email, there are hundreds of addresses in the To: field of this email header. This is a well known means of proliferating spam. It is common practice in such a direct marketing mailshot to place such addresses in the Bcc: field. Perhaps your IT people would explain to you why this is the case.
Please remove my email address from your database immediately and confirm that this has been done by return email.
If anything, this sort of insecure marketing would give me much less confidence in the quality of your services and would certainly NOT encourage me to use Travelodge again.
Two weeks later I received more spam from these people, with zero addys in the To: field. I didn't get excited this time and have never heard from them since.
back in the day
I used to work for a telecomms company as a customer service agent.
During training the whole Data Protection Act was hammered home about its importance and also hammered home the belief that if caught contravening you could be personally sued.
Now, its feasible that these were just training scare stories, but even if true, the DPA aint worth shit these days. I see more and more reports of data being mishandled and that the ICO seem to do feck all apart from issuing a "stern" letter.
Health and Safety is a bit barking sometimes, but should a company be found to be negligent in the cause of an accident involving an employee, the top people COULD go to jail.
IF a company is found to be negligent and cannot take adequate safeguards to ensure the safety of peoples personal data then the top people should go to jail.
Its only when PEOPLE are held accountable for the actions on behalf of their company that data will truly be protected.
http://www.theregister.co.uk/Design/graphics/icons/comment/pint_32.pngban EULA's and make everybody accountable , enough garbage. Sadly idiots that believe paper and data are a replacement for human accountability will wander in ever decreasing circles Ad infinitum without beer 2
Will someone for once
http://www.theregister.co.uk/Design/graphics/icons/comment/pint_32.pngJust say , hey we screwed up , mea culpa and here is your free whatever and how in the hell do they know he / she was vindictive . Most security systems ( like this one ) are a joke and whoever did it was probably LOL not a vindictive bone in their body .
Imagine this in Plodland
Yus guvnor wen i threwed the brick into the jelery winder i wus perfickly calm after a few pints no agro attal
Well well naughty man as long as you didn't get angry or upset with someone go and sin no more
Never mind apologising for this security lapse.......
how about apologising for my recent stay at your Brentwood East Hornden pseudo hotel? Where it was my extreme misfortune to come across the most alarming new concept in UK "culture"- THE ONLY WAY IS ESSEX TOURISM. (No, I'm not bullshitting, it exists, deal with it.)
Parties of already arseholed young women, dressed in what can only be described as "Transvestite Chic" miniskirts (1/2" below minge base), hair and make-up, complete with the latest over-powering Katie Price fragrance, screeched and clumped their way through the corridors on their way out and also on their way back from a nearby nightspot that appears in chavtastic "The Only Way is Essex". They explained that they were there in the hope that they would appear in an episode, or meet some of the "stars" of, the mocumentary itself.
The bizarre, unintentional talking tunnels that run from your bathrooms on the ground floor to the bathrooms on the first floor, provided such perfect acoustics that you could almost be in the shitter with them, as they vomited, cried, pissed, swore and shat away the small hours. Now, if you could somehow tap into the business of the type of perverts that get off on this sort of thing, you could charge premium babestation type chat line rates on top of the room rates and make an absolute killing. Hey, if this idea works out for you, I want a cut of the profits!
Internal or external
Let's hope it was an external hacker, then at least there's a remote chance of discovering their identity. On the other hand trying to isolate a single disgruntled employee in the Travelodge workforce is an investigative task of Holmesian proportions.
Thanks for sharing
Thanks, Travelodge for sharing so willingly, and lying to try and hide your incompetence.
You fracking FAIL.
From a victim of this farce
I was one who received two spam emails as a result of Travelodge's breach of security. It may seem a minor point, but the time taken by myself to avoid that breach of *my* security could be quite usefully used as the basis of a fine to Travelodge to be more careful in future.
The marketing bollox that is usually spoken in these cases would, one hopes, become less frequently seen if real penalties (that the companies could and should pursue in part against the thieves who steal the information) were given to them. Of course, the maximum amount they could retrieve from the thieves should be limited, so that enough real pain is inflicted on the companies to ensure they take better care in future.
As for the standards of Travelodge: I have never found them luxurious, but they are cheap and good enough for my purposes, which is usually ehen I have to be in London as a result of flight arrangements (though I do not stop at the one near Heathrow).
Audited to PCI Requirements - a fully PCI compliant organisation?
What loveley techno-bable. PCI has no requirements for you to audit access to customer email addresses (only cardholder data). Although they clearly didn't have an audit trail showing who had stolen this data this would could still be perfectly true whilst they remained PCI Compliant!
However, last summer the wonderful Travelodge website took my booking for the wrong day because when I went back to correct a wrongly enterred card number it changed the booking date to the next available day. Given that logging of all activity relating to taking card payments is in scope for PCI I was rather annoyed when they could not check their web server logs to prove that it was their fault I had booked the wrong day. I wonder if my email to them which cited PCI requirements has led their PR team to fall back on the standard in their press release.
In ten years in IT security - I've yet to come accross a PCI Compliant company - many that say they are, have even been audited as such - but none that actually are 100% compliant. Know any company that actually monitors all changes to all critical files on every server and then correlates these with the approved change record? And then investigates any that don't match as a security incident?
Not diss'ing PCI - by the way - no standard is perfect but PCI is probably more perfect that others - especially version 2.0! So much so that other industries are considering adopting it for protection of their data (e.g. US Healthcare).
Fall under the California laws that require notice of a breach of privacy to affected residents? Will anyone sue, or will the AG go after them?
Looked up the laws, and no, it only applies if it involves name plus any of SSN, driver's license, or any financial acct number (including credit card number). So if anyone notices any fraud on their cards, report it to the California attorney general's office.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market