Butlins data breach hits 34,000 users

Butlins thinks the data was stolen via a phishing attack

Butlins Bognor Regis welcome sign

Up to 34,000 Butlins customers may be affected by the company's data breach, security specialists have warned, with personal details such as postal addresses and holiday arrival dates thought to have been among the data stolen.

Butlins apologised in a statement to customers, explaining that the breach was the result of a phishing attack and was reported within 72 hours of its discovery, as stipulated in the new GDPR guidelines.

"Butlin's take the security of our guest data very seriously and have improved a number of our security processes," managing director Dermot King said in a statement. "I would like to apologise for any upset or inconvenience this incident might cause."

Butlins revealed information stolen from its network include names, home addresses, contact details and holiday arrival dates, meaning criminals could use this information to determine when a family is not at home and use it as an opportunity to break into their homes.

"Whilst no payment details were lost, this data breach is yet another example of a company not doing the basics of data protection," said Gary Marsden, senior director, Data Protection Services at Gemalto. "Data is the new oil, so exposing any form of sensitive data, not just financial, means that hackers can sell to the highest bidder on the dark web to be used for exploitive measures."

Advertisement
Advertisement - Article continues below

Because email addresses were also stolen, another concern for customers should be an increase in potential phishing attacks. If criminals know that the email addresses are both genuine and used for something as important as booking holidays, there may be an increase in the number of emails from malicious actors, Jake Moore, Security Specialist at ESET advised.

"Be alert to possible phishing emails from Butlins over the coming weeks," he said. "Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore." 

He suggested those affected are extra-vigilant about changing their passwords and clicking on any links in emails, even if they seem to be legitimate.

However, other security analysts think it has exposed a glaring hole in the security strategy of some very large businesses. Despite the GDPR making it very clear that organisations need to install watertight security practices to avoid hefty fines, some are still not doing enough to prevent a breach.

"Poor security practices can no longer be tolerated, with breaches under GDPR potentially leading to serious financial and legal repercussions," Gerhard Giese, security solutions engineering manager at Akamai said. "Worse still, with booking details taken in this case, hackers would be aware of customer addresses, and when they won't be home potentially exposing them to additional risks."

The damage to Butlins is likely to be longstanding, Rob Shapland, principle cyber security engineer at Falanx Group said. The company is known as one of the leading family holiday businesses in the UK, but this breach and the risk that customers' physical and digital identities could be stolen may well have a sizable impact on its bottom line.

He advised the company re-think its training and security strategy to try and recoup some of the loss of business it may suffer as a result of this serious breach.

"The reputational damage to Butlin's could be extensive, especially if it were to lead to a customer being affected in this way," he said. "The breach perhaps shows that Butlin's processes and training may not be sufficient. A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019