Carnival Corporation, the world’s largest cruise ship operator, said in a statement that the attackers gained access to its systems and collected personal information such as names, email addresses, and phone numbers of its customers and employees.
Carnival is one of the world’s largest leisure travel companies. With annual sales of approximately $145 billion, it is included in various global stock market indices. As one of the world’s largest cruise line operators, it owns nine cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel company called Holland America Princess Alaska Tours.
In March 2021, an unauthorized third-party accessed a number of email accounts:
“Unauthorized third-party access to a limited number of email accounts was detected on March 19, 2021,” the cruise line operator said in a data breach notification letter recently sent to affected customers.
According to Carnival’s SVP & Chief Communications Officer Roger Frizzell, the attackers did not gain access to the company’s core systems.
“It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew. The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing.”
The information that was accessed included names, phone numbers, and dates of birth. Some additional personal details included Social Security or national identity numbers. The company also warned passengers and crew members that after the breach they saw “a low likelihood of the data being misused.”
Another ransomware attack hit Carnival in August 2020. Two months after the attack, the company revealed that a hacker gang gained access to its customers’ and employees’ personal information. About 37,500 individuals were affected by this ransomware attack, according to a report filed at the time with the Office of Maine’s Attorney General.
In December 2020, the company was hit by yet another ransomware attack. The “investigation and remediation phases” are still ongoing.
“There is currently no indication of any misuse of information potentially accessed or acquired and we continue to work with regulators to bring these matters and other reportable incidents to conclusion,” Carnival said about the December 2020 ransomware incident.
