The world’s largest cruise ship operator, Carnival Corporation, has announced a data breach in which threat actors gained access to parts of its IT systems as well as personal, financial, and health information of customers and employees.
Carnival employs over 150,000 people in over 150 countries, provides leisure travel to over 13 million people every year.
Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn are among the corporation’s nine cruise line brands, as well as a travel package company (Holland America Princess Alaska Tours).
An unauthorized third-party accessed a restricted number of email accounts, according to the cruise line operator’s data breach notification letter, which was discovered on March 19, 2021.
The attackers gained access to “limited portions of Carnival’s information technology systems,” according to SVP & Chief Communications Officer Roger Frizzell.
Personal information about some of the guests, employees, and crew was accessed, including data collected routinely during the guest experience and travel booking process, as well as data collected in the course of employment or providing services to the Company, such as COVID-19 or other safety testing.
Names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited cases, additional personal information such as Social Security or national identity numbers were among the data accessed from the Carnival data breach.
Customers, staff, Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations crews were all notified that evidence had been discovered indicating “a low likelihood of the data being misused.”
In August 2020, Carnival was targeted by a ransomware attack, which was confirmed by the cruise line operator.
During the attack, the perpetrators obtained access to the personal information of both customers and workers. In December 2020, the company was struck by a second ransomware attack.
A data breach revealed in March 2020 also impacted the cruise line.