Budget hotel chain Travelodge has sent an email to its customers playing down worries that it has suffered a data breach but without ruling it out.

On Wednesday, customers of the chain used Twitter to complaining of receiving spam emails at addresses only used to communicate with that company. A day later the company finally sent an email to some of its customers warning of the spam campaign.

“Please be assured we have not sold any customer data and no financial information has been compromised,” read the email. ”The safety and security of your personal information is of the utmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.”

“All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements,” it said, a reference to encryption used to store such information.

What if anything has happened remains a mystery. One possibility is that an email marketing list has been compromised, possibly with the names of opt-in customers on it.

In April, large US email marketing firm Epsilon Interactive was hacked in this way, which compromised the email details held for up to 2,500 companies. If the issue relates to this sort of database then customers face little more than nuisance as spam arrives over the coming months.

More concerning is the company’s vagueness about what has happened which suggests that it simply doesn’t know. On Friday, Travelodge said on Twitter that it believed that only a small number of email addresses had been compromised and confirmed that the Information Commissioner had been informed.

The concern remains that a larger group of users might have been compromised than those complaining – many spam emails never reach users or go unnoticed.