Suspicious
Anyone else here reckon they might have sold (part of) their customer database to the spammers, and now that they've been found out, are trying to blame a break in?
Travelodge is still trying to find out who got into their customer database and snaffled names and email addresses. The budget chain told the Reg it has asked outside contractors to go through its systems to try and find the culprits. A spokeswoman said: In the last 24 hours, we have been conducting a comprehensive …
Travelodge sends out frequent targetted (junk) mail to people who've stayed in their hotels. Presumably these are based on particular demographics of customer, run through a database query, turned into a list and then fed into some automated mailshot program. The marketing people handling these lists probably aren't clued in about security so there is a lot of potential here for a list to leak out given the frequency of emails and the people doing it.
Maybe they did get hacked, but as likely someone left a list on a memory stick, or emailed it out to some external email address, or they gave it to a 3rd party who goofed in a similar way. etc.
I recall a tourist hostel that employed casual night staff who were given access to the reservations system through a restricted access account. Unfortunately you could have unrestricted access to the database through a mapped drive where full customer details, Credit Card details etc., were stored entirely in the clear. The usernames and passwords for access to the reservations system were also stored unencrypted in a table. The manager used the same password on the electronic door system - so you could create your own master key ..
Something to bear in mind is that when Travelodge or anyone else sends out a batch of e-mails, they are probably reliant on a whole bunch of intermediate servers that sit between them and the end user. The internet being what it is.
This being the case, any compromised server along the route could potentially have access to any of those e-mail addresses and the names of recipients.
In October of last year I received spam to a number of semi-private mail aliases each used in connection with only a single web site. Eventually, I determined that each of these sites had used ThinkSend (aka createsend.com aka thinksend.com) so send their legitimate opt-in marketing emails at various times during 2009. One of the organisations followed up on this and confirmed that ThinkSend had been compromised during that timeframe: http://www.campaignmonitor.com/blog/post/2852/
More recently, I have received spam targeted at an address only known by me and laterooms.com, but their investigations drew a blank on that one. Thinking about it, I wonder if any data sharing goes on between laterooms and Travelodge?!?