The records of up to 34,000 Butlin’s holidaymakers have been accessed by hackers, the domestic operator confirmed.
While the stolen data does not include payment details, customers’ names, holiday dates, postal and email addresses and telephone numbers are believed to have been accessed.
A spokesperson confirmed that the compromise had taken place within the last 72 hours, and was caused via a phishing email by an “unauthorised third party”.
British companies must notify the Information Commissioner’s Office of any data breaches within 72 hours or face a fine under the EU’s new General Data Protection Regulation,
Butlin’s said its own investigations “have not found any fraudulent activity related to this event”.
It added: “Guests who may have been affected are being contacted directly by Butlin’s to let them know what’s happened, what they should do and what is being done to resolve the situation.”
An ICO spokesperson said: “Butlin’s has made us aware of an incident and we will be making enquiries.”
Butlin’s managing director Dermot King added: “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes.
“I would like to apologise for any upset or inconvenience this incident might cause. A dedicated team has been set up to contact all guests who may have been affected directly.”
Individuals who believe they may have been affected should be cautious not to give out any additional details when contacted by individuals representing themselves as being from Butlin’s, as this is a common activity by fraudsters following data breaches.