The holiday camp owner published a notice late last week revealing that up to 34,000 booking reference numbers, lead guest names, holiday arrival dates, postal and email addresses and telephone numbers may have been breached.
Managing director, Dermot King, claimed that affected guests would be contacted by the end of Monday 13 August. Payment details and username/password combinations are safe and there has been no sign of fraudulent activity thus far on the stolen data, he added.
The firm blamed “a phishing attack via an unauthorized email” for the incident and said it had since “improved a number of our security processes.” However, it’s difficult to counter the threat posed by phishing emails as they rely fundamentally on tricking the employee rather than their machine.
That’s why 93% of breaches last year involved some form of phishing, according to Verizon.
McAfee chief scientist, Raj Samani, argued that not only will Butlin’s customers be at risk from follow-on phishing attacks using the stolen information to appear more convincing, but because the hackers have access to info on holiday arrival dates, their houses may be at risk from burglars.
“Recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to. If you use the same password across a number of apps and accounts you need to change it now,” he cautioned. “Introduce a password generator to ensure you have unique passwords across all accounts. And for holidaymakers’ home security, they should ensure they have a trusted neighbor keeping an eye on the property while away and alarms set.”
Unlike Reddit, Butlin’s reported the incident within 72-hours and has proactively notified all affected customers, so it should escape the wrath of GDPR investigators.