Butlins has become the latest company to be affected by a data breach as up to 34,000 Butlins guest records were accessed by hackers.
The Hemel Hempstead-based holiday camp chain is the most recent company affected by a data breach in a list that includes the likes of Costa Coffee, Carphone Warehouse, Ticketmaster and Adidas.
Butlins have said on their website the guest records the hackers accessed included 34,000 booking reference numbers, lead guest names, holiday arrival dates, postal/email addresses and telephone numbers.
According to Verizon’s “2018 Data Breach Investigation Report”, it found phishing was the third-most used attack method for hackers as it was used in 1,192 incidents and 236 confirmed data breaches.
The report also found that 17 percent of phishing campaigns were reported despite 20 percent clicking on one phishing campaign every year.
How Did The Hackers Access Butlins Guest Records?
Butlins explained that the guest records were accessed by hackers as a result of a phishing attack conducted via an unauthorised email.
The company have reassured customers who have booked a holiday that their payment details are secure and uncompromised along with their usernames and passwords.
Dermot King, Butlins Managing Director explained in a letter that the company was reporting this incident to the Information Commissioner’s Office.
King said: “We have reported this incident to the Information Commissioners Office and are putting more measures in place to reduce the risk of something like this happening again.”
With the introduction of GDPR in May 2018, companies that report data breaches must notify the relevant regulator (Information Commissioner’s Office) within 72 hours.
Laurance Dine, Managing Principal, Investigative Response at Verizon told Computer Business Review about how businesses can prepare and mitigate social attacks.
Dine commented “Some people will click an attachment faster than Harry Turner. Perhaps you send them a tablet and a keyboard or a laptop running a sandboxed OS that only runs signed code.
“Train the responders along with the end-user base. Test your ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm existence of data exfiltration.”