You know how it is, when you get home with a suitcase full of laundry and an overloaded overdraft, and all the realities of everyday life return… how quickly that relaxed fun mood of your summer holiday can evaporate?

Well, never more so than when you learn from your holiday company that you could be one of 34 thousand guests whose personal details have been breached by hackers, as happened recently to customers of Butlins – a British family holiday brand whose history dates back to the 1930s.  

Not the biggest breach of the last 12 months, compared with some of the huge data losses of the likes of Equifax and Dixons Carphone. And let’s face it, events of 2018 have certainly blown away any expectations that our data is always in safe hands with brands we trust, had we still clung fondly to that belief.  But holiday companies carry a lot of expectation and responsibility, especially those whose target market is families – we trust them to get all sorts of things right, from our poolside health and safety to the booking administration. So perhaps it’s rather a blow to that confidence when we learn that they appear to have fallen victim to a phishing scam, even more so than when it happens to a faceless international corporation.

“Butlin’s take the security of our guest data very seriously and have improved a number of our security processes,” managing director Dermot King said in a statement. “I would like to apologise for any upset or inconvenience this incident might cause.”

They stressed that no financial information had been compromised, that the records affected consisted of contact details – but were also obliged to disclose that the lost data also included holiday dates, creating a huge potential vulnerability.  Assuming the slightest awareness of domestic security you generally do not choose to advertise to anyone when your home is going to be empty for any period of time – but what’s the point of admonishing your children for bragging about their hols on social media when the holiday company you have booked with then loses a database of addresses combined with dates those properties will be vacant?  

Email addresses and phone numbers were also lost in the breach, and anyone affected needs to be aware that this makes them more at risk of phishing attacks themselves. A recent trend is for fraudsters to capitalise on the publicity surrounding the incident to impersonate the brand – in this example, to impersonate Butlins, with an email encouraging you to check that your payment information is up to date or to confirm details.  These addresses will change hands many times on the dark web, and because they were used to make a holiday booking, will be regarded as high-quality, main-inbox contacts – making the hackers a tidy sum. The same with the phone numbers, as an unexpected call, particularly one from someone who appears to know plenty about who or where you are, can easily take anyone off guard and make it easy for further social engineering to occur.

Despite being known and loved by many as one of the leading holiday companies in the UK, the damage to Butlins brand is likely to be long standing. They did the right thing once the the breach was discovered, advising the ICO within the new GDPR-specified 72 hour timeframe, and apologising to those affected.  But trust is something which takes years to build, and can be damaged irrevocably in a single incident. We haven’t found any reports of people being burgled whilst on a Butlins holiday, during which their address was stolen – but if, or when, any such stories emerge, the media focus will be devastatingly high-impact.

And whilst we’ll never hear about the exact mechanism through which the breach occurred, a phishing attack was mentioned – indicating that, as is so often the case, human judgement of a situation or communication was the weakest link.

It doesn’t matter how good your information security systems are if your staff training and awareness around data protection and privacy is not up to scratch. The arms race on the technical front will continue forever, but as security systems become ever more sophisticated, hackers are doubling-down on the human frailties as the point of greatest vulnerability.  

As the regulators flex their muscles and test out their new legislative powers, we can expect to see greater scrutiny on what information controllers are doing to ensure their frontline staff are aware and trained and completely confident in their handling of personal data. They’ll be looking to see that a culture of privacy by design is embedded at all levels, and continually maintained and updated.

Could your organisation withstand an investigation on this front? Is every member of your team who handles personal data completely aware of their responsibilities and liabilities? If you have any concerns at all, please contact us for a private and no-obligation discussion, on: 0203 2870163, or email us: