Sleep tight, my pretty

Funny how talking about security tends to make us feel less secure. Raising a security issue without causing unnecessary worry is difficult. You need empathy, tact and excellent communication skills. A bit of charm wouldn’t go amiss either.

I recently received an email from Travelodge demonstrating the total lack of any of these qualities. It’s an email which I thought was worth a detailed reply.

Dear Customer

I’m not a customer. I stayed in a Travelodge hotel once, and it was OK, but there were a couple of things you could have improved. When I tried to give you some constructive feedback the link was broken, and when I tried to report the broken link, all the means for getting in touch with you about this issue were closed to me. I blogged about it all at the time, but to summarise: I think it would have been easier to get a private audience with the Pope than find a human being at your organisation willing to listen to my comments. So it’s highly unlikely that I’ll be rewarding you with repeat custom in the near future.

Our main priority is to ensure the security of our customers’ data,

Really? You see, I never gave my consent for you to store my data, so the most secure thing you could possibly have done with it is not to store it at all.

which is why I wanted to make you aware that a small number of you may have received a spam email via the email address you have registered with us.

(A small number of me?) As I said above, I didn’t register an email address with you, because I didn’t want you to have my email address on your files. Yes, I failed to contact you and say so, which means that legally you get to mutter weasel-words about “implicit consent”. But given how hard it is to contact Travelodge about anything at all, you were acting in bad faith when you assumed my silence was consent.

Please be assured we have not sold any customer data and no financial information has been compromised.

So you’ve accidentally given away my email address rather than selling it? Do you expect me to be overwhelmed with gratitude about that?

I’m assuming you’re going to explain in the next paragraph exactly what went wrong: how did spammers get hold of some of the email addresses on the Travelodge system?

All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements.

What does this mean? Google tells me that there is a Payment Card Industry Security Standards Council, and this is presumably the body that sets the standards you comply with. It’s an industry body and the website content is aimed squarely at businesses rather than consumers, so there’s nothing that tells me how these PCI requirements are keeping my credit card details safe.

But what’s worrying me is why you’ve brought up the subject of credit card information. Are you trying to break the news that my credit card details are at risk from whatever’s happened? Or are you clumsily trying to reassure me that my details are not at risk? And what has happened, anyway? Tell me!

The safety and security of your personal information is of the utmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.

More boilerplate. But what issue? What’s happened? Why won’t you just tell me?

If you receive an email similar to the one shown here, please delete it as spam.

The link is to a PDF version of the same email, with the text of a spam message pasted into it. How does this help? If I don't know what a spam message looks like by now, seeing one example won't give me the experience I need to identify future spam. But perhaps the spammers will be good enough to stop after just one message.

If you have any questions regarding this matter, please email: andrea@travelodge.co.uk. A further update will be given, when we have completed our investigation. Guy Parsons Chief Executive

As I mentioned in my previous blog post about Travelodge, Andrea is imaginary. It’s very, very nice to finally get a working email address for someone in your organisation, even if she isn’t real, but it’s a shame you had to do something stupid with my contact details first. Also, what did you do? You’re not going to tell me, are you?

Never mind, I’ve found out for myself. Your database has been hacked. You took a whole day to respond to customers who tried to tell you about it, and even then you messed up the announcement. According to bitterwallet.com, you announced it on Twitter first and you didn’t email people on the database until three hours later. Even then, the email still doesn’t actually say what’s happened. Still, better that your customers find out the truth from online news sources than directly from you, right?