By Lauren Howells.

Up to 34,000 guest records may have been accessed by an unauthorised third party as the result of a phishing attack, holiday camp Butlin’s has revealed. 

Guest data includes lead guest names and postal addresses

Butlin’s confirmed that data which may have been affected include booking reference numbers, lead guest names, holiday arrival dates and guest contact details, including email and postal addresses.

On a webpage dedicated to the incident, Butlin’s managing director, Dermot King, reassured guests that their payment details were secure and had not been compromised. He added that guest usernames and passwords were also secure.

Butlin’s said that its investigators had not found any evidence of fraudulent activity related to this event. However, it said its data security experts would continue to work “around the clock” and had already improved a number of its security processes.  

Incident reported to the Information Commissioners Office

Butlin’s confirmed that it had reported the incident to the Information Commissioners Office (ICO) and said it was in the process of putting more measures in place to reduce the risk of reoccurrence in the future.

Guests who may have been affected should have heard by Butlin’s via post, phone or email by the end of Monday 13th August.

“I’m sincerely sorry this has happened and can assure you we are doing everything we can to minimise the risk of something like this happening again”

Mr King apologised and made assurances that Butlin’s was doing everything it could.

Butlin’s confirmed that it had set up a team dedicated to the incident, which could be contacted by email at

“Crucial need” to train staff to recognise phishing scams

Butlin’s warns that guest records may have been hacked

According to the BBC, at the moment, Butlin’s does not know whether information on all 34,000 guests was hacked. 

A lawyer reportedly told the BBC that this breach, caused by a phishing attack via an unauthorised email, demonstrated the “crucial need” to train staff to recognise “increasingly sophisticated communications” which purported to be authentic and called human error the “greatest single point of weakness” in a business’ security.

MoneySavingExpert warned those affected to keep a lookout for phishing scams.  

Butlin’s is the latest in a line of organisations to have announced a possible data breach.

Back in June of this year, Dixons Carphone admitted a data breach which reportedly involved 5.9 million payment cards (nearly all of which were protected by chip and pin) and 1.2 million personal data records. At the end of last month, Dixons Carphone admitted that the data breach actually involved 10 million customers, much more than the 1.2 million it had originally estimated.