Butlin's data breach: Over 34,000 visitors' personal data compromised due to phishing attack

  • The holiday camp said the intrusion occurred due to a successful phishing attack.
  • Visitors' names, booking reference numbers, holiday arrival dates, home addresses and more were exposed.

British holiday camp Butlin has admitted that visitor records of up to 34,000 guests may have been accessed by hackers as a result of phishing attack.

Compromised information included visitors’ names, booking reference numbers, holiday arrival dates, home and email addresses, and phone numbers. However, the company said no payment details were compromised in the incident. Users’ login credentials and passwords were also secure, the firm said.

Successful phishing attack

Butlin's said the breach occurred due to a staffer responding to a phishing email that was disguised as a message from the local council.

The incident has since been reported to the Information Commissioner’s Office (ICO) while the company is currently notifying all visitors impacted by the breach.

“We have reported this incident to the Information Commissioner's Office and are putting more measures in place to reduce the risk of something like this happening again,” Butlin's Managing Director Dermont King said in a statement. "I'm sincerely sorry this has happened and can assure you we are doing everything we can to minimize the risk of something like this happening again."

Butlin's said it has also since “improved a number of our security processes.”

“Our investigations have not found any evidence of fraudulent activity related to this event, but our data security experts will continue to work around the clock and have improved a number of our security processes,” the firm said.

The breach comes just months after the EU's strict data protection laws, GDPR, went into effect. Companies that handle European citizens' data and fail to comply could face heavy fines of up to €20 million or 4% of the company's global annual turnover, whichever is higher.