14 DAY TRIAL // Travelodge, an UK budget hotel chain, has alerted customers that they might receive spam as a result of a breach that hasn't yet been determined.
The company launched an investigation after multiple users reported receiving work-at-home job offers on email addresses registered only with them.
There were speculations that Travelodge sold its customer database to a recruitment firm or that it was hacked.
The company hasn't yet determined the exact problem, but it acknowledged the incidents and alerted the Information Commissioner's Office.
"Our main priority is to ensure the security of our customers’ data, which is why I wanted to make you aware, that a small number of you; may have received a spam email via the email address you have registered with us," Travelodge CEO Guy Parsons, wrote to customers. [pdf]
"Please be assured, we have not sold any customer data and no financial information has been compromised,
"All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements," he added.
Of course, it's been proven in the past that PCI compliance does not mean a company can't lose data. There were several cases of PCI-compliant payment processors being hacked and losing credit card information.
One possible explanation is that Travelodge contracted an outside company to handle its email marketing campaign and it was that partner that got hacked.
This happened earlier this year with a large US-based email services provider called Epsilon. The incident affected the customers of many Fortune 500 companies.
If the Travelodge customer email list has indeed been compromised, users should be wary of phishing emails sent in the company's name, as spammers might try to obtain additional information.