Butlins has changed since the Hi-Di-Hi era, much smaller than it was and includes hotels on the sites. But just what happened? I'd distinguish between phishing and malware. 34,000 sets of booking details sounds way too big to be the result of a phishing attack pretending to be the local council. A fake email from a local council could be a vector for malware, but how plausible was the email? The scale looks like one site, so it hangs together, but I wonder how robust the system is.
Local councils could plausibly mail out regular information, such as event lists, which somebody might almost automatically open, but why would such stuff get close to the bookings database? Maybe something was sent to customers, but what?