Butlins data breach hits 34,000 users

Butlins Bognor Regis welcome sign

Up to 34,000 Butlins customers may be affected by the company's data breach, security specialists have warned, with personal details such as postal addresses and holiday arrival dates thought to have been among the data stolen.

Butlins apologised in a statement to customers, explaining that the breach was the result of a phishing attack and was reported within 72 hours of its discovery, as stipulated in the new GDPR guidelines.

"Butlin's take the security of our guest data very seriously and have improved a number of our security processes," managing director Dermot King said in a statement. "I would like to apologise for any upset or inconvenience this incident might cause."

Butlins revealed information stolen from its network include names, home addresses, contact details and holiday arrival dates, meaning criminals could use this information to determine when a family is not at home and use it as an opportunity to break into their homes.

"Whilst no payment details were lost, this data breach is yet another example of a company not doing the basics of data protection," said Gary Marsden, senior director, Data Protection Services at Gemalto. "Data is the new oil, so exposing any form of sensitive data, not just financial, means that hackers can sell to the highest bidder on the dark web to be used for exploitive measures."

Because email addresses were also stolen, another concern for customers should be an increase in potential phishing attacks. If criminals know that the email addresses are both genuine and used for something as important as booking holidays, there may be an increase in the number of emails from malicious actors, Jake Moore, Security Specialist at ESET advised.

"Be alert to possible phishing emails from Butlins over the coming weeks," he said. "Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore."

He suggested those affected are extra-vigilant about changing their passwords and clicking on any links in emails, even if they seem to be legitimate.

However, other security analysts think it has exposed a glaring hole in the security strategy of some very large businesses. Despite the GDPR making it very clear that organisations need to install watertight security practices to avoid hefty fines, some are still not doing enough to prevent a breach.

"Poor security practices can no longer be tolerated, with breaches under GDPR potentially leading to serious financial and legal repercussions," Gerhard Giese, security solutions engineering manager at Akamai said. "Worse still, with booking details taken in this case, hackers would be aware of customer addresses, and when they won't be home potentially exposing them to additional risks."

The damage to Butlins is likely to be longstanding, Rob Shapland, principle cyber security engineer at Falanx Group said. The company is known as one of the leading family holiday businesses in the UK, but this breach and the risk that customers' physical and digital identities could be stolen may well have a sizable impact on its bottom line.

He advised the company re-think its training and security strategy to try and recoup some of the loss of business it may suffer as a result of this serious breach.

"The reputational damage to Butlin's could be extensive, especially if it were to lead to a customer being affected in this way," he said. "The breach perhaps shows that Butlin's processes and training may not be sufficient. A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches."

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.