Personal information contained within the records accessed by hackers includes names, booking reference numbers, arrival dates, home addresses, email addresses, and telephone numbers.
The company, which has sites in Skegness, Bognor Regis, and Minehead, is at pains to point out in an advisory posted on its website that no financial information has been compromised, and says it will be contacting affected guests in the next few days.
Obviously as the hackers appear to have made off with holidaymakers’ contact details, Butlin’s customers would be wise to be cautious of any approaches (via phone or letter) that might request further personal information, such as financial details, perhaps under the disguise of offering compensation.
Fraudsters could also attempt to trick unsuspecting customers into clicking on dangerous links, that may attempt to phish further information from them.
The holiday camp company says that the hackers managed to gain access to its data after successfully phishing an employee via email.
If that’s the case then there will undoubtedly be speculation that the company did not have additional layers of authentication properly in place to prevent access to its systems by unauthorised parties – even if passwords were successfully phished.
The normal way to do this is with some form of two-factor authentication (2FA), where a six digit code generated by an authentication app or token is entered alongside a static username and password.
Having multi-factor authentication in place is one of the ways in which companies can make it harder for remote hackers to access their sensitive data. In addition, systems can be put in place to warn workers than an email originated from outside the company, or to spot unusual data access. Furthermore, a good enterprise password manager can enforce the use of strong, unique passwords – and reduce the likelihood of them being entered on bogus phishing sites.
Butlin’s managing director Dermot King said that “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes.”
Butlin’s has set up an email address for concerned customers to contact if they have any questions: [email protected]
The data breach has been reported to the UK’s Information Commissioner’s Office (ICO) which has confirmed it is looking into the incident.