Travelodge UK has informed the Information Commissioner's Office over a potential data compromise after spam emails were sent from official accounts.
An email was sent to customers offering an ‘exciting career opening' for ‘self-motivated people in United Kingdom to help us spread out our activity in the UK area'.
In a statement, Travelodge UK chief executive Guy Parsons said that a small number of users ‘may have received a spam email via the email address you have registered with us'.
He said: “Our main priority is to ensure the security of our customers' data. Please be assured, we have not sold any customer data and no financial information has been compromised.
“All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI DSS requirements. The safety and security of your personal information is of the utmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.”
The company later said that its investigation only found that a small number of customers had received a spam email. It also confirmed that it had not sold any customer data.
Blogger Richard Shepherd wrote on his website that the spam email featured his full name in the subject line, which is not what you would expect to see in spam and it caused him to look a little closer.
He said: “Whilst I appreciate that the update states that no financial information has been compromised and adheres to PCI standards, this still doesn't sit well with me. Mainly because if they have been compromised enough to steal customer names and email addresses, how are they so sure that financial information has not been taken also?
“Also if safety and security of personal data is of utmost importance, why did it take people complaining on Twitter etc. to highlight the situation and get this half update? Though a full investigation will take time it would still be more reassuring to know what they know so far. By saying ‘no financial information has been compromised' they are, through omission of discussing other details, saying that some data has been compromised.
“It is ignorant to think that just because financial information has (claimed) not to have been accessed, that it is unimportant to announce what has been accessed. Have passwords been compromised? It makes no mention of these and some people may have used the same password on Travelodge as they have on other sites. This ‘update' is nothing more than fire fighting to try and calm the situation and save face in my opinion, and leaves more questions open than it answers.”
Ash Patel, country manager for UK & Ireland at Stonesoft, said: “Despite the fact that the Travelodge is reassuring its customers that hackers didn't steal any financial data and that they only managed to get away with names and emails addresses doesn't make this any better.
“This highlights the importance of security when a company holds sensitive customer information. Organisations that carry out payment transactions should adhere to the PCI DSS compliance guidelines and these should act as a supplement to good practice in-house security policies and processes. It is also very important to educate staff on internet safety because ultimately the responsibility of security lies with the company and a breach can cause serious reputational damage.”
Simon Ford, engineering director at NCP, said: “It is similar to what happened with Sony and Sega and for them to say ‘compromised' is a good way of saying this and avoiding bad press.”