Holiday camp Butlin's was targeted by a successful phishing scam recently that compromised personal details of up to 34,000 guests, including their home addresses and holiday schedules.
In a statement sent to affected guests, Butlin's announced that some personal details such as names, home addresses, and arrival dates of guests were compromised by the phishing scam but no financial details of guests were compromised. It added that it had informed the Information Commissioner's Office about the breach within 72 hours of discovering it in compliance with the GDPR.
"Butlin's take the security of our guest data very seriously and have improved a number of our security processes. I would like to apologise for any upset or inconvenience this incident might cause," said Dermot King, managing Director of Butlin's.
Butlin's breach puts the privacy of guests at risk
Raj Samani, chief security scientist at McAfee told the Daily Star that even though cyber criminals behind the phishing scam did not get their hands on financial information, they found enough to build profiles of individuals to commit identity fraud.
"They’ve managed to access a huge amount of personal information which can create a clear picture of an individual. They will also know who is away from home which can put the physical safety of homes at risk," he warned.
"Be alert to possible phishing emails from Butlins over the coming weeks. Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore," said Jake Moore, Security Specialist at ESET, told IT Pro UK.
Rob Shapland, principle cyber security engineer at Falanx Group, also warned about the reputational damage that Butlin's could suffer because of the cyber security incident.
"The reputational damage to Butlin’s could be extensive, especially if it were to lead to a customer being affected in this way. The breach perhaps shows that Butlin’s processes and training may not be sufficient. A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches," he said.
Major phishing campaign targeting UK industries
News about the latest phishing campaign targeting Butlin's comes not long after a report from Kaspersky Lab revealed that 400 organisations across various industries, including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining, and logistics in the UK, are being targeted by a phishing campaign that involves the use of deceptive e-mails to lure employees into sending money to hackers' accounts.
"The main distinguishing feature of these attacks is the high level of preparation, in that the scam artists address an employee by first and last name, they know the position the person occupies and the company’s area of focus, and all the information on the source of the offer looks legitimate," the security firm noted.
"Educating workers and consumers [to identify phishing emails] is, of course, crucial, but relying solely on education is not enough – bad actors have the technical skills, data access, and time to overcome and eventually circumvent superb defensive training.
"Part of the solution is to understand that every organisation needs to take a more serious, advanced, layered approach to authenticating their staff members and users rather than relying on decades-old password schemes. This need to evolve also applies to the online companies and institutions where the stolen credentials are later used to make a profit," said Robert Capps, vice president at NuData Security.