Holiday camp business Butlin’s has confirmed that the records of up to 34,000 guests have been accessed by hackers.
While the stolen data doesn’t include payment details, customers’ names, holiday dates, postal and email addresses and telephone numbers are believed to have been accessed.
A spokesperson confirmed to Sky News that the compromise had taken place within the last 72 hours, and was caused via a phishing email.
Under the EU’s new General Data Protection Regulation, British companies must notify the ICO of any data breaches within 72 hours or face a fine.
The company said its own investigations “have not found any fraudulent activity related to this event”.
It added: “Guests who may have been affected are being contacted directly by Butlin’s to let them know what’s happened, what they should do and what is being done to resolve the situation.”
Individuals who believe they may have been affected should be cautious not to give out any additional details when contacted by individuals representing themselves as being from Butlin’s, as this is a common activity by fraudsters following data breaches.
The holiday camp chain said it had reported the incident to the Information Commissioner’s Office (ICO), the data protection regulator.
In 2016, the ICO fined TalkTalk a record £400,000 for its security failings after the personal details of 156,959 customers accessed, including their names, addresses, dates of birth, phone numbers and email addresses.
Butlin’s managing director Dermot King said: “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes.
“I would like to apologise for any upset or inconvenience this incident might cause.
“A dedicated team has been set up to contact all guests who may be affected directly. I would like to personally reassure guests that no financial data has been compromised.”