Butlins Breach

In response to the news that Butlins has confirmed that the records of up to 34,000 guests have been accessed by hackers, IT security experts commented below.

Rob Shapland, Principle Cyber Security Engineer at Falanx:

“Although no credit card data was compromised, the personal data stolen from Butlin’s could be very useful for criminals conducting identity theft. Guests should be very concerned about this breach, especially those with future holiday dates already booked. The criminals will now know home addresses, and the dates those people will be on holiday, meaning they can target properties when they know they will be empty. The reputational damage to Butlin’s could be extensive, especially if it were to lead to a customer being affected in this way. The breach perhaps shows that Butlin’s processes and training may not be sufficient. A combination of security awareness training for staff and protective monitoring to detect any breaches would be a sensible investment to help minimise the chance (and potential impact) of any future breaches.”

Jake Moore, Security Specialist at ESET: 

“Ensure you have a strong complex password on any accounts that have a link to your personal information, for example, your name, job title, address, phone number. Please note that strength of a password is determined by its length. I therefore advise that your passwords are made up of three unrelated words and not “yourcatsname.1”

Be alert to possible phishing emails from Butlins over the coming weeks. Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore. Therefore, as a rule of thumb, do not click on any links or download any documents that you are not expecting. Try and verify if and where you can on the origin or an email before acting upon any requests.”

Dr. Jamie Graves, CEO & Founder at ZoneFox:

“Following on from the likes of Carphone Warehouse’s incident earlier in the year, another major UK company has been attacked. What this showcases once more is the strength in existing, low-technology cybercrime tactics; in this case, a simple phishing email.

As such, this shows again the importance of staff being ever-vigilant for inbox imposters. All of the expensive technology in the world can’t defend against someone being convinced that they are talking to a colleague or boss, rather than a cybercriminal. What that technology can do, though, is determine what exactly has happened to the data; what has been taken, where it has gone and how exactly this was carried out.

However, Butlin’s must be given credit for going public with a measured statement within 72 hours of the attack happening – especially with the GDPR time-frames in play for breaches which may include personally identifiable information – and for putting a team on the case to reach out to the individuals affected.”

Trevor Reschke, Head of Threat Intelligence at Trusted Knight:

“The simplest attacks are often the most effective and serious. Most people use email at work and people are busy and just trying to get their jobs done. Security is often back of mind, and mistakes are easily made, which is what the hackers rely on with a phishing attack.

“The real risk for those caught up in the Butlin’s breach is that the personal information that has potentially been leaked will be used to access other accounts, or for fraudulent purposes. Hackers accumulate and sell large databases of personal data in bulk exactly for this reason. Those who are affected should be extremely cautious of any unwarranted communications they receive and not just trust the source because they know their address of phone number. As always, they should also keep a close eye on their bank accounts to make sure no one has impersonated them.”

Rashmi Knowles, Field CTO EMEA at RSA Security:

“At present, most businesses don’t have the right people, processes and technologies in place to manage digital risk. In order to reduce the threat from targeted phishing attacks, organisations should look to create a ‘human firewall’, by supporting employee training programs where employees are capable of not only recognising phishing emails, but are comfortable reporting them. This is not a ‘quick fix’ solution, but involves an ongoing process of self-sustaining investment. Every member of an organisation should be responsible for securing an organisation, and should understand the threat posed by hackers, and the benefits of keeping their company secure, not just within the context of their role or department, but across the entire organisation.

“Instead of traditional computer-based training, organisations should be pushing for concentrated campaigns from in-house marketing teams; a strong example set by the rest of the C-Suite downwards; and interactive training methods such as learning via gaming software. The latter can be particularly good for repeat offenders, as they are given an opportunity to engage with IT teams and learn from experience. By taking a business-driven security approach, where all stakeholders are engaged in the conversation, threats can be tackled in a way that safeguards what’s most important – whether that’s intellectual property, a business-critical asset or customer data.”

Stats from Verizon’s DBIR:

The 2018 Verizon Data Breach Investigation Report report found that phishing was the third most used attack method – with it being used in 1,192 incidents and 236 confirmed data breaches.

In addition, Verizon’s report also found:

• 20% people still click on at least one phishing campaign during a year
• Social attacks leading to breaches (which includes phishing attacks) were only used in 15% of successful breaches within the entertainment industry
• Only 17% of phishing campaigns were reported. And almost no campaigns are reported by the majority of the people phished

Laurance Dine, Managing Principal, Investigative Response at Verizon Enterprise Solutions:

“Clicks happen: Some people will click an attachment faster than Harry Turner. Perhaps you send them a tablet and a keyboard or a laptop running a sandboxed OS that only runs signed code.

“DEFCON “Meh”: Reduce the impact of a compromised user device by segmenting clients from critical assets, and using strong authentication (i.e., more than a keylogger is needed to compromise) to access other security zones within your network. If you use email in the cloud, require a second factor.

“Talking about practice: Train the responders along with the end-user base. Test your ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm existence of data exfiltration. Practice, practice, practice to react quickly and efficiently to limit the impact of a successful phish.

“Role-playing games: Provide role-specific training to users that are targeted based on their privileges or access to data. Educate employees with access to employee data such as W-2s or the ability to transfer funds that they are likely targets. Increase their level of scepticism—it isn’t paranoia if someone really is out to get them.”

For reference, the DBIR draws its findings from an analysis of real-world data breaches investigated by Verizon and an extensive range of third-party contributors; including the likes of the U.S. Secret Service, UK legal services firm Mishcon de Reya, UK insurer Chubb and the Irish Reporting and Information Security Service (IRISS CERT) amongst others.