Butlin's has confirmed that the records of up to 34,000 guests have been accessed by hackers.
The holiday camp chain says the stolen data does not include payment details – but customers' names, holiday dates, postal and email addresses and telephone numbers are believed to have been accessed.
A spokesperson confirmed to Sky News that the compromise had taken place over the past 72 hours, and was caused by a phishing email.
Under the EU's new General Data Protection Regulation (GDPR), British companies must notify the Information Commissioner's Office of any data breaches within 72 hours or face a fine.
The company said its own investigations "have not found any fraudulent activity related to this event".
It added: "Guests who may have been affected are being contacted directly by Butlin's to let them know what's happened, what they should do and what is being done to resolve the situation."
Individuals who believe they may have been affected should be cautious not to give out any additional details when contacted by individuals who say they are from Butlin's, as this is a common activity by fraudsters following data breaches.
The chain says it has reported the incident to the ICO, and a spokesperson for the data protection regulator told Sky News: "Butlin's has made us aware of an incident and we will be making enquiries."
In 2016, the ICO fined TalkTalk a record £400,000 for its security failings after the personal details of 156,959 customers were accessed, including their names, addresses, dates of birth, phone numbers and email addresses.
Butlin's managing director Dermot King said: "Butlin's take the security of our guest data very seriously and have improved a number of our security processes.
More from Science & Tech
"I would like to apologise for any upset or inconvenience this incident might cause.
"A dedicated team has been set up to contact all guests who may be affected directly. I would like to personally reassure guests that no financial data has been compromised."