Travelodge Admits Customer Data Leak

Travelodge has acknowledged an “issue” that resulted in the apparent compromise of some customer data, but said no financial details were involved.

In a letter (PDF) sent to customers Travelodge chief executive Guy Parsons acknowledged that “a small number” of customers had received a spam email at addresses registered with the company.

Financial details

Parsons did not indicate the nature of the “issue”, but said Travelodge hadn’t sold customers’ data and that no financial information was at risk.

“Our main priority is to ensure the security of our customers’ data,” Parsons wrote. “Please be assured, we have not sold any customer data and no financial information has been compromised… We are currently conducting a comprehensive investigation into this issue.”

Parsons said the email appeared to advertise unspecified part-time job opportunities.

“A further update will be given, when we have completed our investigation,” Parsons wrote.

Customers first reported the incident on Wednesday via Twitter.

“Just got spam, with my full name, to an email address only ever used for (Travelodge),” one user wrote.

A day later Travelodge admitted via its Twitter feed that there had been an “issue”.

ICO informed

“Sorry for the spam email you may have received,” the company said in a Thursday post on Twitter. “We have NOT sold any data. We’re currently investigating this issue and will update you ASAP.”

The company informed the Information Commissioner’s Office of the matter on Thursday, the company said in a Friday Twitter post.

“Our investigation shows a small number of customers have received a spam email,” the company posted. “The Information Commissioner’s Office was informed yesterday.”

The incident arrives amidst growing concern over the security of individuals’ personal data. A number of hacking attacks targeting organisations including the CIA, the FBI, Lockheed Martin, RSA Security, Sony, Nintendo and others have resulted in the theft of data.

This week hacking group Lulzsec began posting the names, addresses, phone numbers and the names of family members of members of US law enforcement officials, in a protest against the enforcement of US drugs laws.

The Information Commissioner’s Office (ICO) has begun handing down increasingly large fines to UK-based organisations who lose customer data.

Earlier this month the ICO issued its biggest fine to date, imposing a pentalty of £120,000 on Surrey County Council for disclosing individuals’ personal data on three separate occasions.

The incidents included sending personal data to groups including taxi firms and people who had subscribed to the council newsletter.