Butlins data breach hits 34,000 users

Butlins thinks the data was stolen via a phishing attack

Butlins Bognor Regis welcome sign

Up to 34,000 Butlins customers may be affected by the company's data breach, security specialists have warned, with personal details such as postal addresses and holiday arrival dates thought to have been among the data stolen.

Butlins apologised in a statement to customers, explaining that the breach was the result of a phishing attack and was reported within 72 hours of its discovery, as stipulated in the new GDPR guidelines.

"Butlin's take the security of our guest data very seriously and have improved a number of our security processes," managing director Dermot King said in a statement. "I would like to apologise for any upset or inconvenience this incident might cause."

Butlins revealed information stolen from its network include names, home addresses, contact details and holiday arrival dates, meaning criminals could use this information to determine when a family is not at home and use it as an opportunity to break into their homes.

"Whilst no payment details were lost, this data breach is yet another example of a company not doing the basics of data protection," said Gary Marsden, senior director, Data Protection Services at Gemalto. "Data is the new oil, so exposing any form of sensitive data, not just financial, means that hackers can sell to the highest bidder on the dark web to be used for exploitive measures."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Because email addresses were also stolen, another concern for customers should be an increase in potential phishing attacks. If criminals know that the email addresses are both genuine and used for something as important as booking holidays, there may be an increase in the number of emails from malicious actors, Jake Moore, Security Specialist at ESET advised.

"Be alert to possible phishing emails from Butlins over the coming weeks," he said. "Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore." 

He suggested those affected are extra-vigilant about changing their passwords and clicking on any links in emails, even if they seem to be legitimate.

However, other security analysts think it has exposed a glaring hole in the security strategy of some very large businesses. Despite the GDPR making it very clear that organisations need to install watertight security practices to avoid hefty fines, some are still not doing enough to prevent a breach.

"Poor security practices can no longer be tolerated, with breaches under GDPR potentially leading to serious financial and legal repercussions," Gerhard Giese, security solutions engineering manager at Akamai said. "Worse still, with booking details taken in this case, hackers would be aware of customer addresses, and when they won't be home potentially exposing them to additional risks."

Advertisement - Article continues below

The damage to Butlins is likely to be longstanding, Rob Shapland, principle cyber security engineer at Falanx Group said. The company is known as one of the leading family holiday businesses in the UK, but this breach and the risk that customers' physical and digital identities could be stolen may well have a sizable impact on its bottom line.

He advised the company re-think its training and security strategy to try and recoup some of the loss of business it may suffer as a result of this serious breach.

"The reputational damage to Butlin's could be extensive, especially if it were to lead to a customer being affected in this way," he said. "The breach perhaps shows that Butlin's processes and training may not be sufficient. A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020