back to article Hi-de-Hack! Redcoats red-faced as Butlin's holiday camp admits data breach hit 34,000

Holiday camp and British institution Butlin's has admitted 34,000 visitor records have been compromised. Guest names, holiday dates, postal addresses, email and telephone numbers have been exposed. Butlin's said payment card details are not at risk. The breach was the result of staff responding to a phishing email that posed …

  1. Crisp

    Payment card details might not be at risk

    But someone somewhere has a list of addresses and knows when the houses will be vacant.

  2. Anonymous Coward
    Anonymous Coward

    34,000 people go to Butlins.

    Say it isn't true.

  3. Locky

    Inside job

    My money's on Peggy. She always knew too much

  4. Anomalous Cowturd
    FAIL

    Well, that's a coincidence...

    My step-daughter and her family departed for Butlitz in Bognor Regis this very morning. I wonder what surprise she'll be coming home to?

    I'm not going to spoil her holiday by telling her this news. :o(

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, that's a coincidence...

      Well if her details were compromised, I hope she'll be doing two things - making a choice to avoid the company's services in future, and writing to the CEO (Paul Flaum of Bourne Leisure?) pointing out that there are no excuses here other than incompetence, and that this incompetence has measurable financial consequences.

      I'm writing to the Whitbread and Dixonscarphone's bosses with that messagr since they've both manage to spill my details recently. To add a little something to the mix, it'll be a joint letter, in order to wash their dirty laundry with one of their peer group.

      1. JerseyDaveC

        Re: Well, that's a coincidence...

        Only problem with boycotting Whitbread is whether I can face staying in a Travelodge instead of my usual fleet of Premier Inns ...

  5. Little Mouse

    "responded to a phishing email"...

    Clarification please - Did some numpty actually send the personal details of 34,000 people to someone outside the company in response to a phishing email, or did they just activate some malware by clicking-on-the-link?

    1. sitta_europea Silver badge

      Re: "responded to a phishing email"...

      "Did some numpty actually send the personal details of 34,000 people to someone outside the company in response to a phishing email, or did they just activate some malware by clicking-on-the-link?"

      Does it really matter?

      1. adnim

        Re: "responded to a phishing email"...

        "Does it really matter?"

        For numpties, no.

        For those that care about security, yes.

      2. Little Mouse

        Re: "responded to a phishing email"...

        Does it really matter...

        Clicking on a polluted link is one level of stupid.

        Going to the trouble of collating lots of personal info and blindly sending it to an organisation that, when you think about, has no actual need or right to it anyway, is bordering on the fucking criminal.

        It may not "matter" as such, but I'd certainly be interested to know.

        1. Anonymous Coward
          Anonymous Coward

          Re: "responded to a phishing email"...

          I would guess from the article it's malware from a link in an email from the local council because just replying to an email isn't going to get data. It sounds a bit too targeted for my liking though.

      3. Anonymous Coward
        Linux

        Re: "responded to a phishing email"...

        "Did some numpty actually send the personal details of 34,000 people to someone outside the company in response to a phishing email, or did they just activate some malware by clicking-on-the-link?"

        Does it really matter?’

        Well, one is a clerical error and the other is a major defect in the underlying innovation :]

    2. adnim

      Re: "responded to a phishing email"...

      Clarity? Yes please.. One would presume a phishing email from the local council would present a link to mock up of a local council service account login page.

  6. spold Silver badge

    Drunk IT redcoats only fed soggy sarnies...

    What do you expect?

    I hear some knobbly knees knockin'

    https://www.thesun.co.uk/wp-content/uploads/2017/03/nintchdbpict000310205871.jpg?w=960

  7. Dave Bell

    Butlins has changed since the Hi-Di-Hi era, much smaller than it was and includes hotels on the sites. But just what happened? I'd distinguish between phishing and malware. 34,000 sets of booking details sounds way too big to be the result of a phishing attack pretending to be the local council. A fake email from a local council could be a vector for malware, but how plausible was the email? The scale looks like one site, so it hangs together, but I wonder how robust the system is.

    Local councils could plausibly mail out regular information, such as event lists, which somebody might almost automatically open, but why would such stuff get close to the bookings database? Maybe something was sent to customers, but what?

  8. Anonymous Coward
    Terminator

    Causality violations and phishing emails

    "All breaches of personal information create a heightened risk from phishing emails and ID theft."

    HAL 9000: I'm sorry Dave, but that sentence don't even parse. That would be like the the fault in the AE35 unit in the future created my psychotic breakdown in the past.

  9. Paul 87

    It's easy to call people numptys and other names for clicking on malware links but it's all too easily done.

    IT security should be built on the assumption that humans are dumb, and will click things without thinking.

    What matters now is whether or not Bourne Leisure responds properly to this, whether they can justify the data they're holding and if they take steps to prevent the same issue occuring.

    1. ThatOne Silver badge
      Devil

      > IT security should be built on the assumption that humans are dumb

      IT security is built on the knowledge that law is lenient, customers have very short memories, and thus that those breaches don't really matter in the end. All right, Butlin will get frowned upon by the powers that be for a day or two, they will get a small pile of abuse mail from the victims, but does all that matter to them? Not really. What matters is the money not wasted in educating low-wage temps who will be gone before long anyway.

      1. EnviableOne

        Its all cost benefit analysis, the cost of the training vs the added publicity of a breach and the limited likleyhood of it occuring ......

        Its a shame, but untill we can get Security on a Par with Health and Saftey (CXOs are criminally liable) there will be little change from this equation. This is where GDPR didnt go far enough.

  10. Valeyard

    When houses are empty

    Out of all the possibilities it's strange that this is what people focus on.

    Between about 8am and 7pm pretty much every house in the area will be empty unless you live in middlesbrough, and I doubt the scallies have taken up phishing over knocking a random door and asking if dave's in, to see if anyone answers the door

    1. Aladdin Sane
      Trollface

      Re: When houses are empty

      Do the sort of people who go Butlins really have anything worth stealing?

      1. Anonymous Coward
        Anonymous Coward

        Re: Do the sort of people who go Butlins really have anything worth stealing?

        (Moderately offensive stereotype for which I partially apologise: I myself haven’t had the money for a foreign holiday for a few years either, but I’d rather go to visit friends than stay in the faded grandeur of a now somewhat antiquated holiday camp, sorry.)

        That speedboat they won on Bullseye?

  11. MJI Silver badge

    Those places fill me with horror

    Never stayed at one, but it looks too much like a prison camp

  12. usamaraudo

    34000 people at risk

    Its surprising how easily these data breaches are occurring these days. My suggestion would be to people to start using vpn.

    1. Hans 1
      Paris Hilton

      Re: 34000 people at risk

      It's surprising how easily these car thefts are occurring these days. My suggestion to people would be to start using ethanol as fuel.

      Makes just as much sense as what you wrote ... how is vpn (tunnel connection between two systems) gonna have any effect on the gullibility of the average staffer ?

  13. unixoid

    Financial data

    Hi, i have reason to believe (99% confidence) that financial data was stolen in this data breach, despite the statements and reassurances made by Butlins.

    Butlins did not inform the person in question, and their credit card was cloned within the past week, involving a phonecall from the bank's fraud department. This being a relatively new (few months old) activated credit card, and has only been used since activation to solely make payments to Butlins.

    What can i do about this? As Butlins has clearly overlooked the situation, or has flat out lied about the severity of this data breach.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like