Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

2nd Breach Hits Carnival's Cruise Lines

Customer and Employee Data Again Exposed
2nd Breach Hits Carnival's Cruise Lines

For the second time in less than a year, Carnival has informed customers and employees of a data breach after an unauthorized intruder gained access to a portion of its IT network and infrastructure in March.

See Also: Live Webinar | OT Cybersecurity Strategies for Executives

In October 2020, Carnival reported a similar incident had taken place in August.

The company declined to comment on whether the same attacker that conducted this year's attack was involved in the incident that took place last year.

The Miami-based company acknowledged Thursday that it had detected the latest illegal intrusion on March 19. An investigation found the attacker had gained access to certain personal information belonging to guests and employees of the company's Carnival Cruise Line, Holland America Line and Princess Cruises units and its medical operations.

"The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or other safety testing," the company says a statement provided to Information Security Media Group.

The compromised information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and in some limited instances, Social Security or national identification numbers, the company says.

Carnival declined to say how many individuals had been affected, nor did it explain why it took several months to reveal the breach. The company says it has 120,000 employees worldwide and serves 13 million guests per year on its 22 ships.

Security Policies Reviewed

"As part of its ongoing operations, the company is continuing to review security and privacy policies and procedures and has been implementing changes as needed to enhance our information security and privacy program and controls," a Carnival spokesman says.

The company has notified guests and employees whose personal information may have been impacted and has established a dedicated call center to answer questions regarding the incident, the company says.

Earlier Breach

The list of information exposed in the March breach almost perfectly mirrors what was exposed in a similar incident discovered by Carnival's security staff on Aug. 15, 2020. That breach was reported to those affected on Oct. 13, 2020.

Carnival could potentially face fines for violating the European Union's General Data Protection Regulation if, indeed, the data of Europeans was compromised.

In addition to cruise lines, other sectors of the travel industry, such as airlines and hotels - including British Airways and Marriott - have been hit by cyberattacks. Both were slapped with GDPR penalties in amounts that had been reduced from those originally proposed.

About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.