Maman Poulet | Clucking away crookedly through media, politics and life

Budget Travel and the missing USB stick

February 17th, 2010 · 10 Comments · Uncategorized

When Budget Travel went into liquidation last year, the official liquidator contacted the email database and told us that they were going to sell the database to an interested bidder. An opt out was given to subscribers.

I didn’t do anything about it personally- was surprised by the contact but given the tough times in travel industry I could understand that the email database of Budget customers could be worth something in paying off the debts of the company.

Tonight the liquidator emailed the database with news.  None of it any good in terms of data protection.   Nobody heard of encryption??

Dear Customer,

I contacted you before Christmas to inform you that Budget Travel Limited’s business had been put in liquidation, but that a number of parties were interested in purchasing Budget’s business. I told you then that your personal data held on a subscriber database would be disclosed to the purchaser as part of this process in order to ensure continuity of service to you as a valued Budget customer.

This purchase is now nearing completion and it is intended that the purchaser, Club Travel Limited, will complete its purchase of Budget’s business over the next few weeks. The information to be provided to Club Travel comprises your name and email and may also include your contact phone number and postal address (if you provided these details to Budget). The database also contains internal Budget codes representing customers’ age group, gender and travel preferences, but not all customers provided this information, so Budget may not necessarily store this encoded information about you.

The information stored therefore comprises very basic information which Budget used to provide quality travel services to you, some of which is encoded. In many cases Budget only stores your email and name. No other information relating to you is held on the database, for example, no financial information such as bank details or credit card details is stored on the database.

In preparation for completion of the purchase of Budget’s business, the subscriber database containing your information was placed on a portable USB stick, which was stored at Budget’s Dublin headquarters. This USB stick was stolen as part of a theft in the last fortnight. An Garda Siochana are investigating the matter and the perpetrators of the theft have been identified, but the USB stick has not yet been recovered. The theft appears to have been opportunistic with no specific intent to take customer data and it is important to emphasise that the information on the database is very basic data, which in some cases could be obtained elsewhere (in a telephone directory for example). Without the Budget Travel codes, it is unlikely that those who stole the USB stick will be able to decipher and read the encoded data.

As is best practice and as recommended by the Office of the Data Protection Commissioner, I am notifying you about the security breach and can reassure you that stringent measures have been put in place to prevent any breach like this occurring in the future.

Kind regards,

Simon Coyle
Official Liquidator
Budget Travel Limited (In Liquidation)



10 Comments so far