John Leyden has a follow-up on an e-mail hack The Register initially revealed in June and that I covered on this blog. Travelodge UK’s explanation doesn’t fully answer my questions, but here’s part of it:
This enquiry has thoroughly examined our own IT infrastructures and databases and those belonging to our suppliers as well. The key findings from this report have revealed that we have been the unfortunate victims of a malicious attack because of the vindictive actions of one individual, who had access to an unencrypted section of our marketing database.
We can confirm no financial data has been stolen, accessed or compromised. This information is held on a standalone, off-site separate server. The data itself is encrypted and complies with current best practice standards and is audited to PCI (Payment Card Industry) requirements.
A small number of customers’ names and email addresses were stolen, and these were used for the spam email.
Read more on The Register. It sounds to me that this was a compromise at an e-mail service provider. But if the data were encrypted, was this an inside job? I wish Travelodge UK would issue a more unambiguous statement – and if it was an ESP, which one?