Carnival Cruise hit by data breach
Carnival Corporation, the world's largest cruise ship operator, has disclosed a data breach after attackers gained access to some of its IT systems and the personal, financial, and health information belonging to customers, employees, and crew.
Carnival is included in both S&P 500 and FTSE 100 stock
market indices, has more than 150,000 employees in roughly 150 countries, and
provides leisure travel to roughly 13 million guests each year.
The company operates nine of the world's leading cruise line
brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises,
Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a
travel tour company (Holland America Princess Alaska Tours).
Data misuse risk warning
"Unauthorized third-party access to a limited number of
email accounts was detected on March 19, 2021," the cruise line operator
giant says in a data breach notification letter recently sent to affected
customers.
However, Carnival's SVP & Chief Communications Officer
Roger Frizzell told BleepingComputer after the article was published that the
attackers gained access to "limited portions of its information technology
systems."
"It appears that in mid-March, the unauthorized
third-party gained access to certain personal information relating to some of
our guests, employees, and crew.
"The impacted information includes data routinely
collected during the guest experience and travel booking process or through the
course of employment or providing services to the Company, including COVID or other
safety testing."
According to Carnival, the accessed information included
names, addresses, phone numbers, passport numbers, dates of birth, health
information, and, in some limited instances, additional personal information
like Social Security or national identification numbers.
The cruise line operator also warned impacted customers,
employees, as well as Carnival Cruise Line, Holland America Line, Princess
Cruises, and medical operations crew that they found evidence indicating
"a low likelihood of the data being misused."
Hit by ransomware twice in one year
BleepingComputer previously reported that a ransomware
attack also hit Carnival in August 2020, an incident confirmed by the cruise
line operator in an 8-K form filed with the US Securities and Exchange
Commission (SEC).
Two months later, Carnival said in a separate SEC filling
the ransomware gang behind the August attack gained access to the personal
information of both customers and employees during the attack.
Roughly 37,500 individuals were impacted affected by the
August ransomware attack, according to info filed by Carnival with the Office
of Maine's Attorney General.
The August ransomware attack came after a data breach
disclosed in March 2020 that also led to the exposure of customers' personal
and financial info after threat actors gained access to Carnival employees'
email accounts.
In December 2020, Carnival was hit by a second (previously
undisclosed) ransomware attack with "investigation and remediation
phases" still ongoing, according to a 10-Q form filed with the SEC in
April 2021.
"There is currently no indication of any misuse of
information potentially accessed or acquired and we continue to work with
regulators to bring these matters and other reportable incidents to
conclusion," Carnival said about the December 2020 ransomware incident.
BleepingComputer reported at the time that the German cruise
line and Carnival subsidiary AIDA Cruises was dealing with mysterious "IT
restrictions" that led to the cancellation of their New Year's Eve
cruises.
Costa Crociere, another Carnival subsidiary, was also
affected by an IT outage around the December ransomware attack that prevented
customers from booking trips via the cruise line's online reservation system.
Comments
Post a Comment