Budget Travel Security Breach

scudzilla · 17-02-2010 10:50pm #1

I just received this email, i originally posted this in the Travel & Holidays forum but the mod decided that even though it was to do with Budget Travel, who supplied holidays and were a travel company, it had no place in that forum, and said i should post it here.

Dear Customer,

I contacted you before Christmas to inform you that Budget Travel Limited's business had been put in liquidation, but that a number of parties were interested in purchasing Budget's business. I told you then that your personal data held on a subscriber database would be disclosed to the purchaser as part of this process in order to ensure continuity of service to you as a valued Budget customer.

This purchase is now nearing completion and it is intended that the purchaser, Club Travel Limited, will complete its purchase of Budget's business over the next few weeks. The information to be provided to Club Travel comprises your name and email and may also include your contact phone number and postal address (if you provided these details to Budget). The database also contains internal Budget codes representing customers' age group, gender and travel preferences, but not all customers provided this information, so Budget may not necessarily store this encoded information about you.

The information stored therefore comprises very basic information which Budget used to provide quality travel services to you, some of which is encoded. In many cases Budget only stores your email and name. No other information relating to you is held on the database, for example, no financial information such as bank details or credit card details is stored on the database.

In preparation for completion of the purchase of Budget's business, the subscriber database containing your information was placed on a portable USB stick, which was stored at Budget's Dublin headquarters. This USB stick was stolen as part of a theft in the last fortnight. An Garda Siochana are investigating the matter and the perpetrators of the theft have been identified, but the USB stick has not yet been recovered. The theft appears to have been opportunistic with no specific intent to take customer data and it is important to emphasise that the information on the database is very basic data, which in some cases could be obtained elsewhere (in a telephone directory for example). Without the Budget Travel codes, it is unlikely that those who stole the USB stick will be able to decipher and read the encoded data.

As is best practice and as recommended by the Office of the Data Protection Commissioner, I am notifying you about the security breach and can reassure you that stringent measures have been put in place to prevent any breach like this occurring in the future.

Kind regards,

Simon Coyle
Official Liquidator
Budget Travel Limited (In Liquidation)

Now why am i starting to feel worried?? They had my card details etc when i paid for 2 holidays with them

Thoie · 17-02-2010 11:01pm

They'd have no reason to store those CC details, or to transfer them to anyone else, so I wouldn't worry too much. From your own post:

The information to be provided to Club Travel comprises your name and email and may also include your contact phone number and postal address (if you provided these details to Budget). The database also contains internal Budget codes representing customers' age group, gender and travel preferences, but not all customers provided this information, so Budget may not necessarily store this encoded information about you.

So, the easily read information is that your name is Bob Bobson, email bob@bob.bob, phone number 01-606606 and you live at 123 Fake Street. They might know that you're in the 25-35 age group, male and like flying first class to the States, taking the kosher meal on board and that you prefer an aisle seat.

Pythia · 17-02-2010 11:18pm

Terrible response from the Travel mod. "Repost and you will be banned" Wtf?

scudzilla · 17-02-2010 11:20pm

Pythia wrote: »

Terrible response from the Travel mod. "Repost and you will be banned" Wtf?

Yep, tell me about it, totally awesome modding there :rolleyes::rolleyes:

dudara · 17-02-2010 11:48pm

Guys, take any comments on moderator action to the Feedback forum - don't clog up this thread.

dudara

North Cork · 18-02-2010 12:19am

This is why the data was on a usb stick

http://www.wilsonsauctions.com/budget_travel.asp

Special Unreserved Office Furniture & IT Equipment Liquidation Auction

Auction Date:Saturday 20th February 2010 @ 11:00am

Location: 134-135 Lower Baggot Street, Dublin 2

Budget Travel Limited (In Liquidation)

Under the instructions of Simon Coyle of Mazars
(Official Liquidator)

Large selection of office equipment including: Desks, Chairs, Room Dividers, Storage Cabinets, Computers, Printers, Photocopiers, Fax Machines, Server Units, Boardroom Furniture & Kitchen Equipment.

Cabaal · 18-02-2010 8:47am

So a standard normal USB stick?...not one of those encyrpted one's that even charitys like Bernardo's use?...what a bunch of ****en idiots.

Some companys are just clueless

18-02-2010 9:11am

Seems they have the same information a company can get from buying a list of people from information services such as Kompass.

If it did fall into criminal hands, they'd take one look at it and bin it as it would be of no use whatsoever.

Personally I'd have no worries whatsoever & wouldn't give two seconds thought to this.

Cabaal · 18-02-2010 9:57am

91011 wrote: »

Personally I'd have no worries whatsoever & wouldn't give two seconds thought to this.

However it is still your personal information and companys should not be careless with it, in this case if its an unencrypted USB stick they then have been out and out careless with this information.

If I wanted just anyone to see my home address etc then I'd post it on the net

jhegarty · 18-02-2010 9:59am

Cabaal wrote: »

If I wanted just anyone to see my home address etc then I'd post it on the net

Most people do !

http://www.eircomphonebook.ie/

the_syco · 18-02-2010 10:24am

jhegarty wrote: »

Most people do !

http://www.eircomphonebook.ie/

This doesn't list what you like. The information, if used correctly, could let companies know what percentage of Budget Travel users liked certain resorts, and could send them spam based on their past preferences.

{^Syntax^} · 18-02-2010 10:31am

TrueCrypt is free....

Cabaal · 18-02-2010 10:52am

jhegarty wrote: »

Most people do !

http://www.eircomphonebook.ie/

Yeah some people "may" decided to list there details in a phone book, but its a choice to do so at the end of the day.

Some ejit company loosing a USB stick full of your details is not a choice, its down to carelessnes

eth0_ · 18-02-2010 1:14pm

No wonder they went bust if they thought putting a subscriber DB on an unencrypted USB stick was a good idea....!

ScouseMouse · 18-02-2010 1:40pm

scudzilla wrote: »

I just received this email, i originally posted this in the Travel & Holidays forum but the mod decided that even though it was to do with Budget Travel, who supplied holidays and were a travel company, it had no place in that forum, and said i should post it here.

Dear Customer,

I contacted you before Christmas to inform you that Budget Travel Limited's business had been put in liquidation, but that a number of parties were interested in purchasing Budget's business. I told you then that your personal data held on a subscriber database would be disclosed to the purchaser as part of this process in order to ensure continuity of service to you as a valued Budget customer.

This purchase is now nearing completion and it is intended that the purchaser, Club Travel Limited, will complete its purchase of Budget's business over the next few weeks. The information to be provided to Club Travel comprises your name and email and may also include your contact phone number and postal address (if you provided these details to Budget). The database also contains internal Budget codes representing customers' age group, gender and travel preferences, but not all customers provided this information, so Budget may not necessarily store this encoded information about you.

The information stored therefore comprises very basic information which Budget used to provide quality travel services to you, some of which is encoded. In many cases Budget only stores your email and name. No other information relating to you is held on the database, for example, no financial information such as bank details or credit card details is stored on the database.

In preparation for completion of the purchase of Budget's business, the subscriber database containing your information was placed on a portable USB stick, which was stored at Budget's Dublin headquarters. This USB stick was stolen as part of a theft in the last fortnight. An Garda Siochana are investigating the matter and the perpetrators of the theft have been identified, but the USB stick has not yet been recovered. The theft appears to have been opportunistic with no specific intent to take customer data and it is important to emphasise that the information on the database is very basic data, which in some cases could be obtained elsewhere (in a telephone directory for example). Without the Budget Travel codes, it is unlikely that those who stole the USB stick will be able to decipher and read the encoded data.

As is best practice and as recommended by the Office of the Data Protection Commissioner, I am notifying you about the security breach and can reassure you that stringent measures have been put in place to prevent any breach like this occurring in the future.

Kind regards,

Simon Coyle
Official Liquidator
Budget Travel Limited (In Liquidation)

Now why am i starting to feel worried?? They had my card details etc when i paid for 2 holidays with them

Cabaal wrote: »

So a standard normal USB stick?...not one of those encyrpted one's that even charitys like Bernardo's use?...what a bunch of ****en idiots.

Some companys are just clueless

Cabaal wrote: »

However it is still your personal information and companys should not be careless with it, in this case if its an unencrypted USB stick they then have been out and out careless with this information.

If I wanted just anyone to see my home address etc then I'd post it on the net

Am I reading this wrong, but it is encrypted.....

preilly79 · 18-02-2010 4:03pm

superscouse wrote: »

Am I reading this wrong, but it is encrypted.....

they state the data is encoded, not encrypted. big difference.
Encryption and encoding compared.

Cabaal · 18-02-2010 5:07pm

Perhaps they mean that it is encrypted...and simply don't know the different between encrypted and encoded I don't know.

At the end of the day they said encoded which as preilly79 has pointed out is not the same thing at all, its still concerning that they are not looking after customers data

Thoie · 18-02-2010 5:19pm

In this particular case they probably mean that if you had provided them with certain information (and not everyone does), there might be some letters numbers after your name. So in my example of male, 25-25, first class, kosher, aisle seat, there could be something along the lines of "MB/PREM/LZ/AI", which wouldn't mean a lot to the majority of people outside the industry/that company.

preilly79 · 19-02-2010 1:05am

Thoie wrote: »

In this particular case they probably mean that if you had provided them with certain information (and not everyone does), there might be some letters numbers after your name. So in my example of male, 25-25, first class, kosher, aisle seat, there could be something along the lines of "MB/PREM/LZ/AI", which wouldn't mean a lot to the majority of people outside the industry/that company.

i work in the software side of the travel industry, that's it in one.

Budget Travel Security Breach

Comments