Carnival Confirms Passenger Data Compromised

Carnival Corporation has disclosed that passenger and employee data from three different cruise lines was accessed in a ransomware attack that took place in August.

On August 15, the British-American cruise operator discovered that an unauthorized third party had compromised its computer system and downloaded data files.

An update issued by the corporation yesterday states that personal data from passengers of Carnival Cruise Line, Holland America Line, and Seabourn was impacted in the August attack. 

“While the investigation is ongoing, early indications are that in early August the unauthorized third party gained access to certain personal information relating to some guests, employees and crew for three of the corporation’s brands—Carnival Cruise Line, Holland America Line and Seabourn, as well as casino operations,” said Carnival.

Information accessed by the threat actor may include names, addresses, phone numbers, passport numbers, and dates of birth.

Carnival said: "The investigation into the specific data impacted is ongoing, but in some limited instances, we anticipate additional information impacted may include data such as Social Security numbers, health information, or other personal information."

Carnival, with over 150,000 employees, is the largest cruise operator in the world, serving over 13 million passengers annually before the outbreak of COVID-19. 

In the disclosure, Carnival stated that it is working “as quickly as possible” to identify and notify the passengers, employees, crew, and other individuals whose personal data may have been accessed. Working out precisely whose data was impacted could take up to 60 days to complete. 

Following the attack, Carnival said it took steps to recover the files being held ransom by the threat actors. The corporation's investigation into the incident is ongoing, but Carnival said early indicators suggest that the likelihood that the data accessed without authorization has since been misused was "low." 

“While how the third party gained unauthorized access has not been disclosed, this is yet another example of the importance of proper investment in cyber security programs to protect company and customer data," commented Terence Jackson, CISO at Thycotic.

"Attackers are not taking it easy during the pandemic. They are stepping the attacks up and we have to be ready.”

What’s Hot on Infosecurity Magazine?