Butlins data breach: an example of not getting basics of data protection right, says data protection expert

Butlins has revealed that details on 34,000 guests at its resorts have been hacked.

Booking reference numbers, lead guest names, holiday arrival dates, postal and email addresses and telephone numbers have been accessed as part of a phishing attack.

Butlins managing director Dermot King said: “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes. I would like to apologise for any upset or inconvenience this incident might cause.”

Gary Marsden, Senior Director, Data Protection Services at Gemalto: “Whilst no payment details were lost, this data breach is yet another example of a company not doing the basics of data protection. Data is the new oil, so exposing any form of sensitive data, not just financial, means that hackers can sell to the highest bidder on the dark web to be used for exploitive measures. In order to stop this from happening, businesses need to protect and anonymise all personally identifiable information at its core through protocols like encryption and proper key management. So even if it’s taken, the data’s rendered useless as it can only be accessed by people authorised to see it.”

Ian Woolley, Chief Revenue Officer at Ensighten, a Data Privacy and Omni-Channel Data Management company, said: “Butlins is yet another example of a brand that has been caught out by a third-party hack. Companies must go beyond their own walls to protect customers – effective security can’t be tackled in silos. While brands have made strides to become compliant, it isn’t enough. The goal must be to consistently identify and address gaps that could make their customers vulnerable.

“Leaking data may result in huge fines but the bigger loss from a breach such as this is consumer trust. Prevention is always better than cure – working with partners to take a holistic view of a company, and its ecosystem can help bolster security from the outset, giving brands and consumers peace of mind.”


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.