Carnival Corporation, the world’s largest cruise operator, has disclosed a data breach after attackers breached some email accounts and accessed personal, financial and health information belonging to customers, employees and crew.
Carnival It is included in the S&P 500 and FTSE 100 stock indices, has more than 150,000 employees in approximately 150 countries, and offers leisure travel to approximately 13 million guests each year.
The company operates nine of the world’s leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard and Seabourn) and one tourist travel company (Holland America Princess Alaska Tours).
Data misuse risk warning
“On March 19, 2021, unauthorized third-party access to a limited number of email accounts was detected,” says the giant of cruise operators in a data breach notification letter recently shipped to affected customers.
“It appears that in mid-March, the unauthorized third party gained access to certain personal information related to some of our guests, employees and crew.
“The affected information includes data collected routinely during the guest experience and travel reservation process or during the course of employment or the provision of services to the Company, including COVID or other security tests.”
According to Carnival, the information accessed included names, addresses, phone numbers, passport numbers, dates of birth, medical information and, in some limited cases, additional personal information such as National Identification or Social Security numbers.
The cruise line operator also warned affected customers, employees and crew that they found evidence indicating “a low probability that the data will be misused.”
A Carnival spokesperson was not available for comment when contacted by BleepingComputer today to clarify the reason for this warning and more details about the incident.
Affected by ransomware twice in a year
BleepingComputer previously reported that a ransomware attack also affected Carnival in August 2020, an incident confirmed by the cruise line operator on a Form 8-K filed with the US Securities and Exchange Commission (SEC). .
Two months later, Carnival said in a separate SEC that it completed the ransomware gang behind the August attack and gained access to the personal information of customers and employees during the attack.
Approximately 37,500 people were affected by the August ransomware attack, according to information presented by Carnival to the Maine Attorney General’s Office.
The August ransomware attack came after a data breach disclosed in March 2020 that also led to the exposure of customers’ personal and financial information after threat actors gained access to email accounts from Carnival employees.
In December 2020, Carnival was hit by a second ransomware attack (previously undisclosed) with “investigation and remediation phases” still underway, according to a Form 10-Q filed with the SEC in April 2021.
“There is currently no indication of any misuse of the information that has been accessed or acquired and we continue to work with regulators to conclude these matters and other reportable incidents,” Carnival said of the December 2020 ransomware incident.
BleepingComputer reported at the time that the German cruise line and Carnival affiliate AIDA Cruises were dealing with mysterious “IT restrictions” that led to the cancellation of their New Year’s Eve cruises.
Costa Crociere, another Carnival subsidiary, was also hit by an IT outage surrounding the December ransomware attack that prevented customers from booking trips through the cruise line’s online reservation system.
AIDA Cruises, Costa Crociere and Carnival Corporation did not respond to emails from Bleeping Computer regarding trip interruptions and cancellations.