back to article Travelodge hacked, investigating

Travelodge is investigating its IT systems to discover how customer email addresses have gone astray. The Reg was contacted this morning by a reader who was receiving spam emails to a unique email address he had only given to Travelodge. Several other customers have blogged of similar experiences, here's Shepy's post on the …

COMMENTS

This topic is closed for new posts.
  1. Sir Cosmo Bonsor

    Interesting

    I'd also like to know how an address I've only ever given to the Times is now receiving copious spam. Respect to Travelodge for at least investigating, unlike Murdoch's lot.

    1. Arrrggghh-otron

      Uniqeness?

      Unless the address was particularly unique, it is possible that spammers were automatically trying lots of randomnames@givendomainname

      It is often interesting to delve into mail server log files and see who is trying to send what and to whom.

      1. Version 1.0 Silver badge
        Happy

        Server logs

        Yes - very useful. Anything that appears in the logs often get added to our honey pot list and further missives cause the senders to be added to the banned IP list. There's no need to seed the alt.sex newsgroups any more ... it's jolly decent of the spammers to relieve me of that task.

  2. Thom Brown
    Stop

    Lenny Henry's favourite motel?

    I think you'll find Lenny Henry promoted Premier Inn, not Travelodge.

    1. benjymous
      Trollface

      Ahh...

      ...maybe he's implying that whilst Lenny might advertise Premier Inn, he'd much rather actually stay at Travelodge.

      (That's always bothered me. Travel -odge? Trave -lodge?)

  3. TheOtherJola
    Thumb Down

    Lenny Henry's favourite motel chain

    No, he's actually a purple Premier Inn kinda guy.

    Travelodge is way, way too cheap - just look at what happened when he used to stay there, before he discovered the delights of the overpriced Premier Inn!

    http://www.youtube.com/watch?v=9_EGCSFHnfY

  4. TheOtherJola
    WTF?

    A copy of spam received

    Just checked my spam folder. Surely enough...

    from Bernarda Mcgee ffMcgeeBernarda@hotmail.com

    to travelodge@<my personal domain>.com

    date 22 June 2011 19:04

    subject <My full name>

    Greetings.

    This is unique business opportunity.

    Reputable agency is seeking for energetic worker in United Kingdom to help us start our business in the UK sector.

    Necessity:

    - Full age United Kingdom resident

    - Only operational knowledge of Internet & computer.

    - Free access to personal e-mail box

    - 2-3 free hours per day

    - Fast replies on our written tasks

    - good organizational skills.

    You can without problem combine our work with your primary work.

    Admirable salary ability. easy study available.

    Applicants must be intelligent and business oriented. Operate only some hours per day.

    Any person residing in the United Kingdom can become our representative.

    Our manager will contact you within several if you attracted.

    ----------------

    Breaking News: holy spirit graduate aj holland to sign with braves.

    1. Anonymous Coward
      Big Brother

      RE: A copy of spam received → #

      I've had something similar, and I've used Travelodge before as well.

      It raised an eyebrow as I don't normally get spam emails listing my full name...

    2. kev_cole
      WTF?

      Travel Lodge

      Funnily enough I had exactly the same email to travel-lodge@kevin-cole.co.uk also.

      In fact word for word.. Obvious they have got my address too.

      Might have been nice for Travel Lodge to email it's customers and advise...

  5. dotdavid
    Meh

    "Hotel chain's customers aggrieved"

    ...yeah, but to be fair they mainly were before the hack.

    After a series of incredibly bad experiences with them I avoid them wherever I can. Lenny Henry's favourite lot are much better, and often not much more expensive.

    1. Intractable Potsherd

      On the other hand ...

      ... my wife and I have rarely had a bad experience at a Travelodge, which we use fairly regularly despite having one of Best Western's regular user cards (whatever it is called).

      Travelodge is like McDonalds' - I know what I am going to get every time, regardless of location. The standard will be basic, but it will be clean and tidy(ish), and not cost a lot (usually, with sufficient advanced planning). Checkouts are sufficiently late for a lie-in I have time, and check-in is early enough to make getting settled in before dinner easy.

      Disclaimer: I have no connection with Travelodge in any way, and this is not a solicited comment - just putting the opposite view to dotdavid's.

  6. TheOtherJola
    Thumb Up

    Travelodge want your spam

    If you've received spam, send it to customer.services@travelodge.co.uk as they are collating as much information as possible. Remember to include headers and message source.

    I've just phoned their CS number (01844 358500, they're quite busy at the moment for some reason) and the CS team are all over it - a credit to them, at least they've not got their heads in the sand.

  7. Anonymous Coward
    Joke

    That will be a wake up call

    for their security.

  8. Anonymous Coward
    Anonymous Coward

    This happens quite a lot.

    I've had my own domain for many years, and as I use a catch-all mailbox, I took to putting a suffix onto my name so I can see when/if an address leaks into the wild.

    All in all it hasn't been to bad. El Reg hasn't leaked (which is nice), but a few online retailed I had dealings with have managed to get onto my "naughty" list. Which just means I create a dedicated mailbox for that address on the server and pipe them all into the trash. It also means I don't deal with that company again.

    1. Anonymous Coward
      Thumb Down

      Agreed...

      I invoke an identical process and have had similar experiences on addresses linked to

      uk.loccitane.com

      boffer.co.uk

      and BirdsEye's former promotional site bemortgagefree.co.uk

      The majority was spam but interestingly the one sent to the Boffer address was from a Boffer type competitor I had never heard off. Boffer denied anything untoward and deleted my forum posts on their site when I asked if others had received similar experiences.

  9. Anonymous Coward
    Anonymous Coward

    Maybe a coincidence

    But has anybody else who had the Travelodge spam also had one of those Indian "your computer is infected" phonecalls today ("Alex" from "MS Tec World" in case anybody's interested)? Where they get you to go into the event viewer and tell you that warnings/errors mean you're infected. It occured to me that I rarely give out the number this lot called on, and Travelodge would have been one of those companies that had it.

    1. Steve Evans

      Re: Maybe a coincidence

      Ah, my favourite callers... Kept one of those busy for almost half an hour the other week. I did enjoy myself.

      They even called back the next day, but I didn't have time to play that day. Now they don't call... I miss them and feel lonely and unloved.

      Pity really, because I've now got a VM all set up and ready to run their dodgy remote access software (plus it has a few manually induced "faults" to keep them entertained).

      Maybe I should give my details to Travelodge so I can get back in contact with them :-)

      Incidentally, the last time they called was a couple of days after I had been dealing with an Talk-talk's Indian call centre - coincidence?

  10. Neil Barnes Silver badge
    Boffin

    I wonder if we're looking at the wrong thing here...

    There is - in the vast majority of cases - absolutely no need to maintain an email address, let alone any personal data - once the original booking has completed. On a standard purchase of goods, there's no need for it at all - and yet they're not only grabbed but you can't buy stuff without handing over an email address. Hence many of us have dozens of throwaway email addresses...

    Here's a possible solution: When you first make a booking, or when you first purchase something, *they* send *you* an email with a one-off passkey. They then destroy your email details.

    Thereafter, the passkey enables you to track a booking or purchase, but without the necessity to store your email address. The passkey alone provides access to your account, but that's it.

    Of course, if they *don't* have my email address, they wouldn't be able to send me weekly offers to spend a weekend at parts of the country I never visit, but I'm sure I can live with that... and be honest: how many people actually respond to offers even when they've bought services or goods from the company in the past?

    1. Intractable Potsherd

      I use TrashMail for the same purpose.

      I very rarely use my real address for buying anything. I create a disposable address with the TrashMail add-on for Firefox with an estimate of how many e-mails it might need. It is easy to correct later if necessary. It seems to work, because I receive very little spam.

  11. Stefing

    Be all modern and fancy like

    Appending a + suffix to your email address comes in very handy!

    e.g. myname+dodgyhostels@gmail.com will be delivered to myname@gmail.com, handy for filtering and fingering. Ahem.

    1. JakeyC

      Agreed, except...

      ...too many sites (incorrectly) reject emails with a + in them, so I have to create ANOTHER throwaway address!

    2. Anonymous Coward
      Unhappy

      That's all well and good...

      ... But the number of sites who incorrectly (according to the appropriate RFC) reject email addresses with a "+" sign in due to it being "invalid". Or whose naff sanitising scripts strip out the "+" for fear it could be a sign of a SQL/Javascript attack thus stopping it working.

      Aaargh!

    3. benjymous

      I use a dot

      I've got some custom config stuff on my mailserver that lets me use "." like that - so myname.travelodge@mydomain.com - since there's no ambiguity with the "." it doesn't upset badly built sites

  12. JakeyC

    Only one email address leaked

    I noticed this today, as it was addressed to the name of someone I booked on behalf of once, using a me@googlemail.com address. So it's not just the email address, but also the account holder name they've pilfered.

    I also have another account with them using me@gmail.com but no email has been sent there (so far).

    Google identified it as spam, so unless they've not shown me the 2nd mail then it could be that it's an 'old' dataset that got taken?

  13. Annihilator
    Joke

    List of customers revealed

    And they all coincidentally turned out to be "Mr and Mrs John Smith". Don't Travelodges exist purely to facilitate extramarital affairs?

  14. Anonymous Coward
    Anonymous Coward

    hardly unique

    travelodge@yourdomain is hardly unique.... a quick dictionary test would find that or just a random spam email to obvious company names as so many people use something like that.

    1. jewelie
      FAIL

      Unique address

      AC, travelodge@yourdomain may not be unique, but I managed a misspelling in my unique tag for Travelodge, and in my case the e-mail was to this misspelt tag and nothing to the correct one. Plus they seem to know everyone's first and last names. They've definitely done a bad murde^Wfail.

    2. Anonymous Coward
      Anonymous Coward

      completely unique actually

      And reasonably conclusive in my case.

      I have 2 accounts in my name, with 2 different email addresses. I am receiving spam to both addresses quoting my account name.

      I wonder if any credit card data is kept by travelodge?

    3. Anonymous Coward
      FAIL

      FAIL

      Except the email to travelodge@mydomain included my full name - something random spam just to an email address would not contain.

  15. Dazzz

    Me too

    Just found it in my spam folder as well and passed it on to CS at travelodge.

  16. Ben Brandwood
    FAIL

    Me too!

    I got a spam email yesterday, to my travelodge only address. More worryingly it also had my full name as the subject, which leads me to think that they have been compromised (and what else).

    Change of passwords all round!

    I emailed them and got a canned response saying "Thanks for your feedback, but we can't respond to all comments" I responded saying I wasn't leaving feedback, and wished a response about the security of any personal data they hold on me or I'd be taking it up with the information commissioner.

    The Spam email came from (I assume false) Hotmail address, but seems to have been routed from a .ru address.

  17. Anonymous Coward
    WTF?

    see also: pixmania

    I had one recently from pixmania (they look french but they are part of Dixons)

    That one also had not just an email address (pixmania_nnn@mydomain) but also used my correct forename and surname (which are not obvious from the email address).

    There's a lot of it about. What is the appropriate response, legally speaking?

    1. Oscar Pops

      Response

      I emailed my spam to the CEO along with a ICO complaint form and copied in casework@ico.gov.uk. Dunno whether that's appropriate, worthwhile or a waste of time!

  18. Captain TickTock
    Paris Hilton

    Low rent?

    My, you've had a sheltered life.

    Paris, she's not low rent

  19. slideruler
    Flame

    And another one..

    Why can't these idiots realise that running an online presence is a bit more complex than 'corporate branding' and dumb software that pretends to be an 'automated assistant'? Some years ago, when involved in running a major online service - I was able to watch the logs of our external facing servers and proxies. Direct and indirect attacks, password attacks, brute forcing, dictionary attacks, SQL injections. The bad guys are persistent, and smarter than the idiots who think that outsourcing at the lowest possible price is 'the best way' to run an E-commerce service.

    I've received the same spam, to a unique address created a month or so ago - for a stay in a travelodge a couple of weeks ago. Like everybody else, it was personalised with my full name. My stay with them was booked and paid for online - so who knows if my credit card details have headed east too. Its about time the ICO started to hit these muppets hard. Fine them (or withdraw their online payment collection facilities) for having insecure systems, inadequate Intrusion detection, and poor or non-existent independent penetration testing. Hitting them financially is the only way that they'll learn the data protection lesson. I think it's about time a few very public examples were made, to concentrate the minds of the rest...

  20. Anonymous Coward
    Thumb Up

    "withdraw their online payment collection facilities for having insecure systems"

    I do like that idea, but surely it'll never happen because it means the card processors will lose their middleman's fees?

  21. Bog witch

    Gmail

    Interestingly, I have not received any spam apart from the usual stuff from Travelodge, the last being on June 16th.

    I guess GMail is doing a good job of blocking it.

    Thankfully, I do not use the same password on any sites so that won't be an issue and any credit card associated with Travelodge will have long since expired. I used Travelodge once - never again. It was a hole.

  22. Jeremy 2
    WTF?

    New rule for all computer security journalists...

    As of about a fortnight ago, ALL computer security stories must include at least one reference to LulzSec, regardless of whether there is any indication they were actually involved or not. Or at least, that's what it seems like lately.

  23. Anonymous Coward
    Anonymous Coward

    Not too surprised considering their IT dept recent form

    Considering all the problems Travelodge have been having recently with their brand new site that lasted a week back in February before being pulled due to half of it not working properly (really well tested)!

    Then they had their £10 sale which took their web site offline all day due to not figuring out that maybe, just maybe it might generate a little more traffic than normal, giving those tech heads who saw it a bit more concern over their IT dept skills or budget.

    Would be interesting to know if the people who got this spam last booked via the old or new web site as that might give a clue as to exactly what got hacked (if anything) and who is to blame.

    AC due to some connections to Travelodge.

  24. Anonymous Coward
    Anonymous Coward

    Travelodge respond

    http://www2.travelodge.co.uk/protect_your_data/Customer_Letter.pdf

    Not that they don't say that email addresses were not acquired by hacking.

  25. The Infamous Grouse
    Black Helicopters

    It must be the 'hackers'

    I've said it before and I'll say it again. The sheer number of corporations hit by 'hacker' attacks in the last six or seven months, compared with previous years, just seems improbably large. And while some are no doubt genuine external penetrations, I still have this nagging feeling that some individuals in some companies, with or without the backing of their superiors, may be using 'hackers' as an excuse to sell customer data for profit. I have no evidence of course, and I wouldn't even dare suggest which ones are probably genuine and which might be deliberate. I just have a very strong gut feeling that there are shady dealings afoot. The numbers simply don't feel right.

    And remember, those of us who use unique e-mail addresses for each recipient are a tiny, tiny minority of the customer base, even for technology companies and gaming websites. For someone like Travelodge the percentage will be even smaller. The vast majority of people who end up getting spammed as a result of this situation, be it penetration or otherwise, will be none the wiser as to why. So for any company or individual who WAS selling the customer database, the rewards would be great and the risk of detection relatively small.

    Just sayin'.

  26. Anonymous Coward
    FAIL

    No Need to Hack

    Some years ago I stayed in a Travelodge near Wales and found the previous three years worth of credit card receipts and business invoices being stored in boxes at the back of my wardrobe.

    It was an ID theft nirvana.

This topic is closed for new posts.

Other stories you might like