Butlins data breach: an example of not getting basics of data protection right, says data protection expert

Butlins has revealed that details on 34,000 guests at its resorts have been hacked.

Booking reference numbers, lead guest names, holiday arrival dates, postal and email addresses and telephone numbers have been accessed as part of a phishing attack.

Butlins managing director Dermot King said: “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes. I would like to apologise for any upset or inconvenience this incident might cause.”

Gary Marsden, Senior Director, Data Protection Services at Gemalto: “Whilst no payment details were lost, this data breach is yet another example of a company not doing the basics of data protection. Data is the new oil, so exposing any form of sensitive data, not just financial, means that hackers can sell to the highest bidder on the dark web to be used for exploitive measures. In order to stop this from happening, businesses need to protect and anonymise all personally identifiable information at its core through protocols like encryption and proper key management. So even if it’s taken, the data’s rendered useless as it can only be accessed by people authorised to see it.”

Ian Woolley, Chief Revenue Officer at Ensighten, a Data Privacy and Omni-Channel Data Management company, said: “Butlins is yet another example of a brand that has been caught out by a third-party hack. Companies must go beyond their own walls to protect customers – effective security can’t be tackled in silos. While brands have made strides to become compliant, it isn’t enough. The goal must be to consistently identify and address gaps that could make their customers vulnerable.

“Leaking data may result in huge fines but the bigger loss from a breach such as this is consumer trust. Prevention is always better than cure – working with partners to take a holistic view of a company, and its ecosystem can help bolster security from the outset, giving brands and consumers peace of mind.”

The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.