The breach may have impacted its customers and employees.
Carnival Corporation, the world’s largest cruise ship operator, has disclosed a data breach where the threat actors accessed some of its IT systems and the personal, financial, and health information belonging to customers and staff.
Carnival which employs more than 150,000 employees in around 150 countries, provides leisure travel to roughly 13 million guests each year.
The company operates nine of the world’s leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours).
According to the data breach notification by the cruise line operator, an unauthorized third-party had accessed a limited number of email accounts that was detected on March 19, 2021.
Carnival’s SVP & Chief Communications Officer Roger Frizzell stated that the attackers gained access to “limited portions of its information technology systems.”
The personal information relating to some of the guests, employees, and crew were accessed which includes data which is routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing.
The accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information like Social Security or national identification numbers.
All the impacted customers, employees, as well as Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations crew were warned that they found evidence indicating “a low likelihood of the data being misused.”
Carnival was hit by a ransomware attack in August 2020 which was also confirmed by the cruise line operator in which the attackers gained access to the personal information of both customers and employees during the attack. A second ransomware attack also hit the company in December 2020. The cruise line was also affected by a data breach disclosed in March 2020.