Holiday camp firm Butlin’s says up to 34,000 guests at its resorts may have had their personal information stolen by hackers.
The company says the data in question included names, home addresses, contact details and holiday arrival dates.
Managing director Dermot King apologised for the incident and said no financial details had been compromised.
Butlin’s has set up a “dedicated team” to contact guests who may have been affected.
“Butlin’s take the security of our guest data very seriously and have improved a number of our security processes,” said Mr King.
“I would like to apologise for any upset or inconvenience this incident might cause.”
The firm has published a dedicated web page with some details about the breach.
A spokesman for Butlin’s confirmed that the hack took place within the last 72 hours and was a phishing attack.
However, Butlin’s does not currently know if information on all 34,000 guests was taken.
“We cannot be definitive at the moment with regard to whether all data was hacked,” the spokesman told the BBC.
Butlin’s said it has not yet found evidence of fraudulent activity related to the incident.
“This breach was the result of a phishing email, demonstrating the crucial need to train staff so they can recognise increasingly sophisticated communications that purport to be genuine,” said Jocelyn Paulley at law firm Gowling WLG.
Ms Paulley added that human error was the “greatest single point of weakness” in organisations’ security.
A spokeswoman for the Information Commissioner’s Office said: “Butlins has made us aware of an incident and we will be making enquiries.”
There are three Butlin’s holiday camp sites – Skegness in Lincolnshire, Bognor Regis in West Sussex and Minehead in Somerset.