Butlin’s data breach

If there are any positives to come out of the Butlin’s data breach, it’s that they reported it within 72 hours – a requirement of the EU GDPR (General Data Protection Regulation).

The breach, which has apparently affected some 34,000 of Butlin’s customers, is interesting for a number of reasons:

  • It’s one of the first major breaches that has occurred since the GDPR came into force – and, therefore, potentially among the first to be fined;
  • Reporting the breach within the given time demonstrates some level of GDPR compliance;
  • The contrast between the sheer banality of the breach and the seriousness of its consequences; and the
  • Unique sensitivity of data

First GDPR offence?

Reporting the data breach to the ICO (Information Commissioner’s Office) is only the first step of many. As part of ICO’s reporting process, Butlin’s is required to answer a number of questions including: did the employee involved have appropriate training? and what could have been done to avoid the breach?

Presumably the ICO will investigate the breach and will likely consider the extent in which Butlin’s was negligent in protecting client data and examine the broader state of Butlin’s approach to GDPR compliance. After all, the ICO did say, two years ago, that they would access an organisation’s overall approach to compliance, and the extent to which they could demonstrate proper accountability, in order to determine the extent of its negligence.

Data breach reported on time

If the reported timescales are true, then Butlin’s have certainly taken the right step by reporting their breach to the ICO.

We can assume that Butlin’s was able to do this because –  like any smart organisation – they were prepared.

With the current information available, we can ascertain that the only failing was inadequate staff training.

This risk of compromising such a vast number of records due to something as banal as a phishing email should drive organisations to ensure staff are educated on how to spot a such emails.

Unique sensitivity of data

Butlin’s claims that no payment card data was compromised. That’s good – they’re supposed to be PCI DSS compliant. But, through human error, they have been breached.

Unfortunately, for Butlin’s and their customers, the type of data that was stolen is likely to become a bigger problem than had it simply been payment data that was stolen.

Booked holiday dates and customer addresses were stolen in this hack meaning that someone somewhere has information on properties that are likely to be empty on certain dates. It wouldn’t be difficult to sell that data.


As more information about this data breach comes to light, we’ll be able to determine just how prepared Butlin’s was for a data breach. But as this point, we can at least say that Butlin’s has taken the correct step in reporting it on time. Let’s hope their fast action is a sign that they have the necessary measures in place to survive a data breach.