Interesting
I'd also like to know how an address I've only ever given to the Times is now receiving copious spam. Respect to Travelodge for at least investigating, unlike Murdoch's lot.
Travelodge is investigating its IT systems to discover how customer email addresses have gone astray. The Reg was contacted this morning by a reader who was receiving spam emails to a unique email address he had only given to Travelodge. Several other customers have blogged of similar experiences, here's Shepy's post on the …
Yes - very useful. Anything that appears in the logs often get added to our honey pot list and further missives cause the senders to be added to the banned IP list. There's no need to seed the alt.sex newsgroups any more ... it's jolly decent of the spammers to relieve me of that task.
Just checked my spam folder. Surely enough...
from Bernarda Mcgee ffMcgeeBernarda@hotmail.com
to travelodge@<my personal domain>.com
date 22 June 2011 19:04
subject <My full name>
Greetings.
This is unique business opportunity.
Reputable agency is seeking for energetic worker in United Kingdom to help us start our business in the UK sector.
Necessity:
- Full age United Kingdom resident
- Only operational knowledge of Internet & computer.
- Free access to personal e-mail box
- 2-3 free hours per day
- Fast replies on our written tasks
- good organizational skills.
You can without problem combine our work with your primary work.
Admirable salary ability. easy study available.
Applicants must be intelligent and business oriented. Operate only some hours per day.
Any person residing in the United Kingdom can become our representative.
Our manager will contact you within several if you attracted.
----------------
Breaking News: holy spirit graduate aj holland to sign with braves.
... my wife and I have rarely had a bad experience at a Travelodge, which we use fairly regularly despite having one of Best Western's regular user cards (whatever it is called).
Travelodge is like McDonalds' - I know what I am going to get every time, regardless of location. The standard will be basic, but it will be clean and tidy(ish), and not cost a lot (usually, with sufficient advanced planning). Checkouts are sufficiently late for a lie-in I have time, and check-in is early enough to make getting settled in before dinner easy.
Disclaimer: I have no connection with Travelodge in any way, and this is not a solicited comment - just putting the opposite view to dotdavid's.
If you've received spam, send it to customer.services@travelodge.co.uk as they are collating as much information as possible. Remember to include headers and message source.
I've just phoned their CS number (01844 358500, they're quite busy at the moment for some reason) and the CS team are all over it - a credit to them, at least they've not got their heads in the sand.
I've had my own domain for many years, and as I use a catch-all mailbox, I took to putting a suffix onto my name so I can see when/if an address leaks into the wild.
All in all it hasn't been to bad. El Reg hasn't leaked (which is nice), but a few online retailed I had dealings with have managed to get onto my "naughty" list. Which just means I create a dedicated mailbox for that address on the server and pipe them all into the trash. It also means I don't deal with that company again.
I invoke an identical process and have had similar experiences on addresses linked to
uk.loccitane.com
boffer.co.uk
and BirdsEye's former promotional site bemortgagefree.co.uk
The majority was spam but interestingly the one sent to the Boffer address was from a Boffer type competitor I had never heard off. Boffer denied anything untoward and deleted my forum posts on their site when I asked if others had received similar experiences.
But has anybody else who had the Travelodge spam also had one of those Indian "your computer is infected" phonecalls today ("Alex" from "MS Tec World" in case anybody's interested)? Where they get you to go into the event viewer and tell you that warnings/errors mean you're infected. It occured to me that I rarely give out the number this lot called on, and Travelodge would have been one of those companies that had it.
Ah, my favourite callers... Kept one of those busy for almost half an hour the other week. I did enjoy myself.
They even called back the next day, but I didn't have time to play that day. Now they don't call... I miss them and feel lonely and unloved.
Pity really, because I've now got a VM all set up and ready to run their dodgy remote access software (plus it has a few manually induced "faults" to keep them entertained).
Maybe I should give my details to Travelodge so I can get back in contact with them :-)
Incidentally, the last time they called was a couple of days after I had been dealing with an Talk-talk's Indian call centre - coincidence?
There is - in the vast majority of cases - absolutely no need to maintain an email address, let alone any personal data - once the original booking has completed. On a standard purchase of goods, there's no need for it at all - and yet they're not only grabbed but you can't buy stuff without handing over an email address. Hence many of us have dozens of throwaway email addresses...
Here's a possible solution: When you first make a booking, or when you first purchase something, *they* send *you* an email with a one-off passkey. They then destroy your email details.
Thereafter, the passkey enables you to track a booking or purchase, but without the necessity to store your email address. The passkey alone provides access to your account, but that's it.
Of course, if they *don't* have my email address, they wouldn't be able to send me weekly offers to spend a weekend at parts of the country I never visit, but I'm sure I can live with that... and be honest: how many people actually respond to offers even when they've bought services or goods from the company in the past?
I very rarely use my real address for buying anything. I create a disposable address with the TrashMail add-on for Firefox with an estimate of how many e-mails it might need. It is easy to correct later if necessary. It seems to work, because I receive very little spam.
... But the number of sites who incorrectly (according to the appropriate RFC) reject email addresses with a "+" sign in due to it being "invalid". Or whose naff sanitising scripts strip out the "+" for fear it could be a sign of a SQL/Javascript attack thus stopping it working.
Aaargh!
I noticed this today, as it was addressed to the name of someone I booked on behalf of once, using a me@googlemail.com address. So it's not just the email address, but also the account holder name they've pilfered.
I also have another account with them using me@gmail.com but no email has been sent there (so far).
Google identified it as spam, so unless they've not shown me the 2nd mail then it could be that it's an 'old' dataset that got taken?
AC, travelodge@yourdomain may not be unique, but I managed a misspelling in my unique tag for Travelodge, and in my case the e-mail was to this misspelt tag and nothing to the correct one. Plus they seem to know everyone's first and last names. They've definitely done a bad murde^Wfail.
I got a spam email yesterday, to my travelodge only address. More worryingly it also had my full name as the subject, which leads me to think that they have been compromised (and what else).
Change of passwords all round!
I emailed them and got a canned response saying "Thanks for your feedback, but we can't respond to all comments" I responded saying I wasn't leaving feedback, and wished a response about the security of any personal data they hold on me or I'd be taking it up with the information commissioner.
The Spam email came from (I assume false) Hotmail address, but seems to have been routed from a .ru address.
I had one recently from pixmania (they look french but they are part of Dixons)
That one also had not just an email address (pixmania_nnn@mydomain) but also used my correct forename and surname (which are not obvious from the email address).
There's a lot of it about. What is the appropriate response, legally speaking?
Why can't these idiots realise that running an online presence is a bit more complex than 'corporate branding' and dumb software that pretends to be an 'automated assistant'? Some years ago, when involved in running a major online service - I was able to watch the logs of our external facing servers and proxies. Direct and indirect attacks, password attacks, brute forcing, dictionary attacks, SQL injections. The bad guys are persistent, and smarter than the idiots who think that outsourcing at the lowest possible price is 'the best way' to run an E-commerce service.
I've received the same spam, to a unique address created a month or so ago - for a stay in a travelodge a couple of weeks ago. Like everybody else, it was personalised with my full name. My stay with them was booked and paid for online - so who knows if my credit card details have headed east too. Its about time the ICO started to hit these muppets hard. Fine them (or withdraw their online payment collection facilities) for having insecure systems, inadequate Intrusion detection, and poor or non-existent independent penetration testing. Hitting them financially is the only way that they'll learn the data protection lesson. I think it's about time a few very public examples were made, to concentrate the minds of the rest...
Interestingly, I have not received any spam apart from the usual stuff from Travelodge, the last being on June 16th.
I guess GMail is doing a good job of blocking it.
Thankfully, I do not use the same password on any sites so that won't be an issue and any credit card associated with Travelodge will have long since expired. I used Travelodge once - never again. It was a hole.
Considering all the problems Travelodge have been having recently with their brand new site that lasted a week back in February before being pulled due to half of it not working properly (really well tested)!
Then they had their £10 sale which took their web site offline all day due to not figuring out that maybe, just maybe it might generate a little more traffic than normal, giving those tech heads who saw it a bit more concern over their IT dept skills or budget.
Would be interesting to know if the people who got this spam last booked via the old or new web site as that might give a clue as to exactly what got hacked (if anything) and who is to blame.
AC due to some connections to Travelodge.
I've said it before and I'll say it again. The sheer number of corporations hit by 'hacker' attacks in the last six or seven months, compared with previous years, just seems improbably large. And while some are no doubt genuine external penetrations, I still have this nagging feeling that some individuals in some companies, with or without the backing of their superiors, may be using 'hackers' as an excuse to sell customer data for profit. I have no evidence of course, and I wouldn't even dare suggest which ones are probably genuine and which might be deliberate. I just have a very strong gut feeling that there are shady dealings afoot. The numbers simply don't feel right.
And remember, those of us who use unique e-mail addresses for each recipient are a tiny, tiny minority of the customer base, even for technology companies and gaming websites. For someone like Travelodge the percentage will be even smaller. The vast majority of people who end up getting spammed as a result of this situation, be it penetration or otherwise, will be none the wiser as to why. So for any company or individual who WAS selling the customer database, the rewards would be great and the risk of detection relatively small.
Just sayin'.