Data security breach at Butlin's
Butlin’s has admitted to a data breach that has resulted in the possibility of some 34,000 booking reference numbers, guest names, holiday dates, postal addresses, email addresses and telephone numbers having been accessed inappropriately. Managing Director Dermot King was quick to point out that there had been no actual sign of fraudulent activity and that payment details, usernames and passwords were safe.
Blame was laid at the door of a phishing attack via unauthorised email. Whilst the company has promised to implement ‘improvements in security processes’ it is questionable whether it will make much difference in the fight against such activities, since their success tends to rely on tricking human operators. Butlins has faced strong criticism over the incident.
Raj Samani, chief scientist at computer security firm McAfee, pointed out that not only was there a risk that the stolen information could be used to target the customers affected with further phishing attacks in the future, but that there was now a risk that thieves had a list of dates when they know that those customers’ homes are likely to be unoccupied. He advised that affected customers should change account passwords immediately and use a password generator to create unique passwords for every account held online.
Sadly this rather predictable bit of ‘ideal world’ advice, although excellent and unarguable, is almost certain to be ignored by many people, who struggle to remember the one or two passwords they already have but also hesitate to write them down. Rather more practical, perhaps, was his advice on the potential risk of burglary - have a trusted neighbour keep an eye on your house and set your burglar alarm. Sensible, but one suspects that it may have already occurred to some of those affected.
To its credit Butlin’s was swift to report the incident, doing so within the 72 hours stipulated by the GDPR. That said, it is easy to see that the potential damage caused by this incident could be very significant. Even if there are no consequences at all for the 34,000 customers, this is the kind of publicity that Butlin’s could have done without.