Travelodge has acknowledged an “issue” that resulted in the apparent compromise of some customer data, but said no financial details were involved.
In a letter (PDF) sent to customers Travelodge chief executive Guy Parsons acknowledged that “a small number” of customers had received a spam email at addresses registered with the company.
Parsons did not indicate the nature of the “issue”, but said Travelodge hadn’t sold customers’ data and that no financial information was at risk.
“Our main priority is to ensure the security of our customers’ data,” Parsons wrote. “Please be assured, we have not sold any customer data and no financial information has been compromised… We are currently conducting a comprehensive investigation into this issue.”
Parsons said the email appeared to advertise unspecified part-time job opportunities.
“A further update will be given, when we have completed our investigation,” Parsons wrote.
Customers first reported the incident on Wednesday via Twitter.
“Just got spam, with my full name, to an email address only ever used for (Travelodge),” one user wrote.
A day later Travelodge admitted via its Twitter feed that there had been an “issue”.
“Sorry for the spam email you may have received,” the company said in a Thursday post on Twitter. “We have NOT sold any data. We’re currently investigating this issue and will update you ASAP.”
The company informed the Information Commissioner’s Office of the matter on Thursday, the company said in a Friday Twitter post.
“Our investigation shows a small number of customers have received a spam email,” the company posted. “The Information Commissioner’s Office was informed yesterday.”
The incident arrives amidst growing concern over the security of individuals’ personal data. A number of hacking attacks targeting organisations including the CIA, the FBI, Lockheed Martin, RSA Security, Sony, Nintendo and others have resulted in the theft of data.
This week hacking group Lulzsec began posting the names, addresses, phone numbers and the names of family members of members of US law enforcement officials, in a protest against the enforcement of US drugs laws.
The Information Commissioner’s Office (ICO) has begun handing down increasingly large fines to UK-based organisations who lose customer data.
Earlier this month the ICO issued its biggest fine to date, imposing a pentalty of £120,000 on Surrey County Council for disclosing individuals’ personal data on three separate occasions.
The incidents included sending personal data to groups including taxi firms and people who had subscribed to the council newsletter.
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…
View Comments
Ash Patel, country manager for UK & Ireland at Stonesoft, has the following comment:
“Despite the fact that the Travelodge is reassuring its customers that hackers didn’t steal any financial data and that they only managed to get away with names and emails addresses doesn’t make this any better. The hackers could now use the information they have obtained and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC.
"The attack also highlights the importance of security when a company holds sensitive customer information. Organisations that carry out payment transactions should adhere to the PCI DSS Compliance guidelines and these should act as a supplement to good practice in-house security policies and processes . It is also very important to educate staff on Internet safety because ultimately the responsibility of security lies with the company and a breach can cause serious reputational damage.
“If a company finds it doesn’t have the staffing resources at times of cutbacks to adopt and maintain a comprehensive security system/practice they should deploy security solutions which can be comprehensively centrally managed and updated to protect against new threats as they emerge.”