IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Butlins data breach hits 34,000 users

Butlins thinks the data was stolen via a phishing attack

Butlins Bognor Regis welcome sign

Up to 34,000 Butlins customers may be affected by the company's data breach, security specialists have warned, with personal details such as postal addresses and holiday arrival dates thought to have been among the data stolen.

Butlins apologised in a statement to customers, explaining that the breach was the result of a phishing attack and was reported within 72 hours of its discovery, as stipulated in the new GDPR guidelines.

"Butlin's take the security of our guest data very seriously and have improved a number of our security processes," managing director Dermot King said in a statement. "I would like to apologise for any upset or inconvenience this incident might cause."

Butlins revealed information stolen from its network include names, home addresses, contact details and holiday arrival dates, meaning criminals could use this information to determine when a family is not at home and use it as an opportunity to break into their homes.

"Whilst no payment details were lost, this data breach is yet another example of a company not doing the basics of data protection," said Gary Marsden, senior director, Data Protection Services at Gemalto. "Data is the new oil, so exposing any form of sensitive data, not just financial, means that hackers can sell to the highest bidder on the dark web to be used for exploitive measures."

Because email addresses were also stolen, another concern for customers should be an increase in potential phishing attacks. If criminals know that the email addresses are both genuine and used for something as important as booking holidays, there may be an increase in the number of emails from malicious actors, Jake Moore, Security Specialist at ESET advised.

"Be alert to possible phishing emails from Butlins over the coming weeks," he said. "Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore." 

He suggested those affected are extra-vigilant about changing their passwords and clicking on any links in emails, even if they seem to be legitimate.

However, other security analysts think it has exposed a glaring hole in the security strategy of some very large businesses. Despite the GDPR making it very clear that organisations need to install watertight security practices to avoid hefty fines, some are still not doing enough to prevent a breach.

"Poor security practices can no longer be tolerated, with breaches under GDPR potentially leading to serious financial and legal repercussions," Gerhard Giese, security solutions engineering manager at Akamai said. "Worse still, with booking details taken in this case, hackers would be aware of customer addresses, and when they won't be home potentially exposing them to additional risks."

The damage to Butlins is likely to be longstanding, Rob Shapland, principle cyber security engineer at Falanx Group said. The company is known as one of the leading family holiday businesses in the UK, but this breach and the risk that customers' physical and digital identities could be stolen may well have a sizable impact on its bottom line.

He advised the company re-think its training and security strategy to try and recoup some of the loss of business it may suffer as a result of this serious breach.

"The reputational damage to Butlin's could be extensive, especially if it were to lead to a customer being affected in this way," he said. "The breach perhaps shows that Butlin's processes and training may not be sufficient. A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022