igor - Fotolia

Butlin’s warns of potential personal data breach

Holiday camp chain blames cyber breach on a phishing attack, implying that attackers were able to steal user credentials to access customer data – and underlining the need for security awareness training

UK holiday camp chain Butlin’s has warned that the personal data of up to 34,000 customers may have been exposed in a cyber breach.

The company has blamed the breach on a phishing attack, which indicates that an employee was probably tricked into divulging user credentials for a customer data system, rather than any high-tech hacking technique.

Butlin’s said the data at risk includes names, addresses, contact details and holiday arrival dates, but does not include any financial information.

The company apologised and said it had begun notifying customers of the breach within 72 hours in line with the requirements of the EU’s General Data Protection Regulation (GDPR) and the UK’s new GDPR-aligned data protection laws, but said it was still not clear whether any of the personal data had been stolen, adding that no fraudulent activity had been detected so far.  

“We cannot be definitive at the moment with regard to whether all data was hacked,” a spokesman told the BBC.

The Information Commissioner’s Office (ICO) confirmed that Butlin’s had reported the incident and said it would be making enquiries.

Butlin’s managing director Dermot King said in a statement: “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes.”

This incident highlights the fact that low-tech cyber crime tactics are still extremely effective, said Jamie Graves, CEO and founder of security software firm ZoneFox.

“The fact that the company is blaming a phishing email again shows the importance of staff being ever-vigilant for inbox imposters,” he said.

“All of the expensive technology in the world can’t defend against someone being convinced that they are talking to a colleague or boss, rather than a cyber criminal.”

However, Graves said technology can determine what exactly has happened to the data – what has been taken, where it has gone and how this was carried out.

“Butlin’s must be given credit for going public with a measured statement within 72 hours of the attack happening – especially with the GDPR timeframes in play for breaches which may include personally identifiable information – and for putting a team on the case to reach out to the individuals affected,” he said.

Trevor Reschke, head of threat intelligence at Trusted Knight, said the simplest attacks are often the most effective and serious.

“Most people use email at work and people are busy and just trying to get their jobs done,” he said. “Security is often back of mind, and mistakes are easily made, which is what the hackers rely on with a phishing attack.”

Read more about phishing

  • Majority of European firms unprepared for phishing attacks.
  • More than one million new phishing sites created each month.
  • Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
  • Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.

Reschke said the real risk for those potentially caught up in the Butlin’s breach is that the personal information could be used to access other accounts, or for fraudulent purposes.

“Hackers accumulate and sell large databases of personal data in bulk for exactly this reason,” he said. “Those who are affected should be extremely cautious of any unwarranted communications they receive and not just trust the source because they know their address or phone number.

“As always, they should also keep a close eye on their bank accounts to make sure no one has impersonated them.”

Andrew Bushby, UK director at Fidelis Cybersecurity, said phishing campaigns have become increasingly sophisticated and convincing in recent years.

“It’s important to remember that with phishing emails, speed is key, not least because users will start opening the email and clicking on links before the security team has identified the phishing attempt,” he said.

“However, companies often struggle to validate whether an alert is a real threat – a process that can often take days. By automating detection and response processes, companies can find phishing emails in minutes – especially those that are particularly convincing.”

Gary Marsden, senior director, data protection services at Gemalto, said businesses need to protect and anonymise all personal identifiable information through protocols such as encryption and proper key management.

“So even if it’s taken, the data is rendered useless to cyber criminals as it can only be accessed by people authorised to see it,” he said.

Read more on Privacy and data protection

Data Center
Data Management