Nik lives in Essex, UK and works in London as the editor of MacUser magazine. The posts and comments on this site do not necessarily reflect the views, opinions of values of his employers.
send an email // view profile
Simon (I’ve changed his name) is off to Amsterdam in February with his wife. I know when he’s going, what flight he’s on, when he takes off and lands, when he’ll be returning, the name of his spouse, how much he paid, where he’ll be staying, what kind of meal he’s having (hot or cold) on each leg of the journey, how many rooms his hotel has, what sleeping arrangements he’s made (ie single, double or twin beds), whether he’s going to have to pay a supplement for parking…
In other words, pretty much everything about his trip.
Oh, and I also know his home phone number, which was what I used to call him this evening to inform him that Expedia have very helpfully sent me all of his personal information.
That’s not the first time it’s happened. At the end of December they sent me all the flight details for some poor woman who was flying from Manchester to London and back. Their response when I told them about it was to ask me to change my email address so that it is not the same as one of their customers.
At the time I thought it was the customer spoofing the system, trying to buy a holiday using my address so they wouldn’t get spammed, but tonight, after calling Expedia for the second time to explain what had happened, I got a very different answer.
The address they used, you see, was expedia[at]offline.co.uk and as I own the domain offline.co.uk obviously anything before the @ symbol ends up in my inbox.
After explaining this to the woman on the phone, she put me on hold for a long while. When she came back she breezily explained that they had a very similar internal address - expedia.offline [at] something-or-other - and that the ‘new starters’ they had working there were using it wrongly, sending personal and private details outside of the company network and on to me.
It hardly seems right that in a time when we are supposed to have heightened airline security an online travel agent - and one of the biggest ones at that - is sending me all sorts of details I shouldn’t be sent. I wonder how many other people have ’similar’ addresses to internal, misused Expedia accounts.
Perhaps they have an expedia.staff address that sometimes gets sent to the owner of staff.co.uk. Maybe expedia.confidential gets sent to confidential.com…
But why is such an enormous online travel agent hiring ‘new starters’ who seem unable even to properly form an email address in the first place? That’s something I’ll keep in mind until next time I’m trying to decide who I should book a trip through.
Related posts:
- Bluejacked
I was bluejacked on the way home. That's the first time it's happened. Or at least it's the first time it's happened in the wild... - That was the week that was
It's been a busy week. It always is before you go away. I think I got everything done, though, and even if I didn't, next... - Top Trumps
Back to the eighties today. Bumped into the guys from Keen again today, who were on the show last night. The feedback seems to have...
3 Responses to “Inexcusible insecurity”
Blimey! and there’s me been singing their praises these last few weeks after booking my last two city breaks with them. Maybe time to look for a new supplier of cheap mini-breaks.
• Posted at 8:06 am on January 15th, 2004 by Kev.Further to the Expedia fiasco. I have just received an email from Amazon who are advertising short breaks. I thought, that’s handy and clicked the link. To my amazement it takes me to an Amazon holiday page on behalf of “their trusted partner Expedia”! I use Amazon all the time. I like Amazon. I had no idea they were in bed with Expedia though, did you?
• Posted at 8:36 am on January 15th, 2004 by Kev.
Something has gone badly wrong with Expedia’s system. They have already lost three International trips from me and now this security breach.
• Posted at 7:07 am on January 15th, 2004 by Mike Brunt.