Butlin’s has fallen victim to a phishing attack that may have exposed 34,000 customers’ phone numbers, holiday arrival dates and postal and email addresses.
Dermot King, the company’s managing director, confirmed in a letter that its database had been put at risk following “a phishing attack via an unauthorised email”.
But the company has not established whether the data was accessed and stolen by the attacker, and has not yet found any evidence of subsequent fraudulent activity.
“If you have not heard directly from Butlin’s via email, post or phone by the end of Monday 13 August this issue does not affect you,” said King in the letter.
“I’m sincerely sorry this has happened and can assure you we are doing everything we can to minimise the risk of something like this happening again.”
The Information Commissioner’s Office has been notified and is investigating the incident. The potentially breached data, King added, does not include usernames, passwords or payment details.
“The simplest attacks are often the most effective and serious,” said Trevor Reschke, head of threat intelligence at Trust Knight. “Most people use email at work and people are busy and just trying to get their jobs done. Security is often back of mind, and mistakes are easily made, which is what the hackers rely on with a phishing attack.”
Jamie Graves, the CEO of ZoneFox, said Butlin’s must be given credit for “going public with a measured statement within 72 hours of the attack happening” and “for putting a team on the case to reach out to the individuals affected”.