Holiday and leisure firm Butlins has confirmed that it has been subject to a hack affecting the records of an estimated 34,000 customers. And while no payment data was accessed, experts say the Butlins breach exposes those affected to identity theft.
“Although no credit card data was compromised, the personal data stolen from Butlin’s could be very useful for criminals conducting identity theft,” said Rob Shapland, principle cyber security engineer at Falanx Group.
He also warned that the Butlins breach could also be used by thieves to rob customers while they are away.
“Guests should be very concerned about this breach, especially those with future holiday dates already booked,” he said.
“The criminals will now know home addresses, and the dates those people will be on holiday, meaning they can target properties when they know they will be empty.
“The reputational damage to Butlin’s could be extensive, especially if it were to lead to a customer being affected in this way.
White hats on Red Coats: the cybersecurity view of the Butlins breach
As the news broke, cybersecurity industry experts began speculating about the cause, with the most prominent theory being that it was the result of a phishing attack.
This suggests the organisation needs to enact more training to protect its staff from aiding this kind of incident.
“The breach perhaps shows that Butlin’s processes and training may not be sufficient,” said Shapland
“A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches.”
“Companies must go beyond their own walls to protect customers – effective security can’t be tackled in silos,” added Ian Woolley, chief revenue officer at Ensighten.
“While brands have made strides to become compliant, it isn’t enough. The goal must be to consistently identify and address gaps that could make their customers vulnerable.”
3 Things That Will Change the World Today
What customers should do to protect themselves from the Butlins breach
For those impacted by the Butlins breach, the advice is similar to in previous attacks.
“Ensure you have a strong complex password on any accounts that have a link to your personal information, for example, your name, job title, address, phone number,” said Jake Moore, Security Specialist at ESET.
“Please note that strength of a password is determined by its length. I therefore advise that your passwords are made up of three unrelated words and not “yourcatsname.1”
Customers should also be on the look out for phishing attacks via emails that appear to be from the holiday company.
“Be alert to possible phishing emails from Butlins over the coming weeks. Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it,” he advised.
“These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore. Therefore, as a rule of thumb, do not click on any links or download any documents that you are not expecting. Try and verify if and where you can on the origin or an email before acting upon any requests.”
Could the Butlins breach be subject to GDPR?
Of course, as with any breach of user data, Butlins may well be subject to GDPR, and the associated punishing fines. However, if the company can demonstrate it has behaved responsibly and taken reasonable steps to protect customer data, it may protect itself from a severe financial payout.
What may prove more difficult is keeping consumer confidence.
“Leaking data may result in huge fines but the bigger loss from a breach such as this is consumer trust,” said Woolley.
“Prevention is always better than cure – working with partners to take a holistic view of a company, and its ecosystem, can help bolster security from the outset, giving brands and consumers peace of mind.”