Thousands of customers affected by Butlins data breach

Company insists ‘no financial data has been compromised’ and apologises

Butlins said the data at risk included names, home addresses, email addresses and telephone numbers.

Butlins said the data at risk included names, home addresses, email addresses and telephone numbers.


Butlins has said up to 34,000 customer records may have been accessed by hackers.

The holiday camp firm said the data at risk included names, home addresses, email addresses and telephone numbers, but that payment details were secure.

The incident has been reported to the Information Commissioner’s Office (ICO) and the firm is contacting people who may have been affected to inform them and tell them what they should do.

Butlins said its own investigations had not found any fraudulent activity related to the data breach.

People who believe they may have been affected should be cautious about giving any additional details when contacted by individuals purporting to be from the leisure company.

Butlins managing director, Dermot King, said: “Butlins take the security of our guest data very seriously and have improved a number of our security processes. I would like to apologise for any upset or inconvenience this incident might cause.

“A dedicated team has been set up to contact all guests who may be affected directly. I would like to personally reassure guests that no financial data has been compromised.”

Meanwhile, Liverpool football club is writing to a group of supporters who used online ticketing services or telephone sales in 2012 to advise them to change their password following “unauthorised external access to an employee account”.


The club has reset the online ticketing passwords for fans and is recommending other steps to a wider group.

It said there was no evidence that any supporter accounts had been accessed and no financial information was involved.

A number of large companies in Britain have been targeted by hackers in recent years.

Carphone Warehouse was fined £400,000 by the ICO in January for a series of “systemic failures” uncovered after a data breach in 2015.

The fine, one of the largest ever issued by the ICO and the same as the fine given to TalkTalk in 2016, came after a hacker managed to access the personal data of more than 3 million customers and 1,000 employees, including credit card details, names, addresses and phone numbers.

During the investigation, the ICO discovered 11 separate issues with the company’s data protection and security practices that would have breached the Data Protection Act on their own.


In May, Grant West (26) who carried out cyberattacks on companies including Sainsbury’s, Asda, Uber, Argos, Ladbrokes and Coral before selling customers’ data on the dark web, was jailed for more than 10 years.

He obtained the email addresses of more than 160,000 people and sent them phishing scams masquerading as Just Eat to get their personal data.

West, who used the online identity “Courvoisier”, sold the information on the dark web, stashing his £1.6 million profits in online caches of bitcoin. – Guardian Service