Travelodge web site hack update

There’s been a few developments related to my earlier post about the possible Travelodge compromise. Firstly, it’s been covered by The Register so is attracting some interest. Travelodge themselves have also confirmed via Twitter that they haven’t sold any data, which makes it pretty clear they’ve been broken in to.

I’ve also had a reply from the CEO of Travelodge. It’s a bit light on content:

Thank you for your email regarding spam e-mail you have received. I am sorry you have had the need to write to me, but appreciate you bringing this to our attention.

Please be assured we are taking this matter most seriously. I attached a copy of a letter to our customers, for your information.

It’s not clear who the letter has or is being sent to, but it was included as a PDF and the text reads:

Our main priority is to ensure the security of our customers’ data, which is why I wanted to make you aware, that a small number of you; may have received a spam email via the email address you have registered with us.

Please be assured, we have not sold any customer data and no financial information has been compromised.

All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements.

The safety and security of your personal information is of the upmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.

If you receive an email similar to the one detailed below, please delete it as spam.

They’ve included a copy of the original spam – I’ll not reproduce it here. The letter closes:

If you have any questions regarding this matter please email: andrea@tra…dge.co.uk. A
further update will be given, when we have completed our investigation.

At least they’ve responded quickly to this as companies can often take days or weeks. The lack of any detail is understandable, given that it’s still early days and they probably don’t know what happened themselves yet – but then, how can they give us assurances that financial data is safe if they do not know what happened…? The mention of PCI is a little superfluous, given that PCI-DSS is the baseline standard required by banks before you’re allowed to handle any credit card information. It’s no guarantee of security.

@PogoWasRight is on the right track, asking Travelodge: “Do you handle email marketing in-house or do you outsource to an email service provider? If the latter, who?”. We’ve seen cases of email marketing providers getting themselves broken into recently and Travelodge may be another in a long list.

4 comments

  1. Actually PCI-DSS IS a big deal. I work in an organisation that has to comply and the amount of work that goes in to prove compliance, and to pass the yearly audit by a Qualified Security Assessors phenomenal!

    I wouldnt say it was “superfluous” at all…

    1. Superfluous as in saying you have it is superfluous – it’s stating the obvious. And the amount of work depends on your size in terms of transactions. It’s more work the more money you handle!

      1. “It’s more work the more money you handle!”

        Indeed! I’d bet that Travelodge like us is a Level 1 merchant and would therefore be near the top of that list.

        I agree – the early comms is good. Hope they keep everyone updated as they get more news

  2. I’m not reassured by the “a small number” bit. Sounds to me like they’ve assumed that not many more than those of us who’ve contacted them have been affected, yet us geeks who have the facility to tag e-mails could have picked up on this are going to be rare, very rare – the rest of their customers will have unknowingly had their details shared.

    As such, this response sounds like an emergency-firefighting response, based on guesses?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.