Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
2nd Breach Hits Carnival's Cruise Lines
Customer and Employee Data Again ExposedFor the second time in less than a year, Carnival has informed customers and employees of a data breach after an unauthorized intruder gained access to a portion of its IT network and infrastructure in March.
See Also: Effective Communication Is Key to Successful Cybersecurity
In October 2020, Carnival reported a similar incident had taken place in August.
The company declined to comment on whether the same attacker that conducted this year's attack was involved in the incident that took place last year.
The Miami-based company acknowledged Thursday that it had detected the latest illegal intrusion on March 19. An investigation found the attacker had gained access to certain personal information belonging to guests and employees of the company's Carnival Cruise Line, Holland America Line and Princess Cruises units and its medical operations.
"The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or other safety testing," the company says a statement provided to Information Security Media Group.
The compromised information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and in some limited instances, Social Security or national identification numbers, the company says.
Carnival declined to say how many individuals had been affected, nor did it explain why it took several months to reveal the breach. The company says it has 120,000 employees worldwide and serves 13 million guests per year on its 22 ships.
Security Policies Reviewed
"As part of its ongoing operations, the company is continuing to review security and privacy policies and procedures and has been implementing changes as needed to enhance our information security and privacy program and controls," a Carnival spokesman says.
The company has notified guests and employees whose personal information may have been impacted and has established a dedicated call center to answer questions regarding the incident, the company says.
Earlier Breach
The list of information exposed in the March breach almost perfectly mirrors what was exposed in a similar incident discovered by Carnival's security staff on Aug. 15, 2020. That breach was reported to those affected on Oct. 13, 2020.
Carnival could potentially face fines for violating the European Union's General Data Protection Regulation if, indeed, the data of Europeans was compromised.
In addition to cruise lines, other sectors of the travel industry, such as airlines and hotels - including British Airways and Marriott - have been hit by cyberattacks. Both were slapped with GDPR penalties in amounts that had been reduced from those originally proposed.