View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 10, 2018

34,000 Butlins Guest Records Stolen by Hackers, Company Admits

Butlins data breach caused by hackers phishing unauthorised emails.

By Umar Hassan

Butlins has become the latest company to be affected by a data breach as up to 34,000 Butlins guest records were accessed by hackers.

The Hemel Hempstead-based holiday camp chain is the most recent company affected by a data breach in a list that includes the likes of Costa Coffee, Carphone Warehouse, Ticketmaster and Adidas.

Butlins have said on their website the guest records the hackers accessed included 34,000 booking reference numbers, lead guest names, holiday arrival dates, postal/email addresses and telephone numbers.

According to Verizon’s “2018 Data Breach Investigation Report”, it found phishing was the third-most used attack method for hackers as it was used in 1,192 incidents and 236 confirmed data breaches.

The report also found that 17 percent of phishing campaigns were reported despite 20 percent clicking on one phishing campaign every year.

How Did The Hackers Access Butlins Guest Records?

Butlins explained that the guest records were accessed by hackers as a result of a phishing attack conducted via an unauthorised email.

The company have reassured customers who have booked a holiday that their payment details are secure and uncompromised along with their usernames and passwords.

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

Dermot King, Butlins Managing Director explained in a letter that the company was reporting this incident to the Information Commissioner’s Office.

King said: “We have reported this incident to the Information Commissioners Office and are putting more measures in place to reduce the risk of something like this happening again.”

With the introduction of GDPR in May 2018, companies that report data breaches must notify the relevant regulator (Information Commissioner’s Office) within 72 hours.

Laurance Dine, Managing Principal, Investigative Response at Verizon told Computer Business Review about how businesses can prepare and mitigate social attacks.

Dine commented “Some people will click an attachment faster than Harry Turner. Perhaps you send them a tablet and a keyboard or a laptop running a sandboxed OS that only runs signed code.

“Train the responders along with the end-user base. Test your ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm existence of data exfiltration.”

See Also:  Carphone Warehouse Data Breach: The Security Experts Respond

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.