Skip to main content
a large ship in a body of water

Carnival Discloses Fourth Data Breach in Two Years

Breach happened on March 19 via compromised email accounts.

Yesterday, Bloomberg reported that Carnival Corp. experienced a security on March 19 when it noticed unauthorized access to its computer systems. According to the company, it notified regulators and hired a cybersecurity firm to investigate.

The investigation found that personal data of customers, employees and crew for its Carnival, Holland America and Princess cruise lines was accessed by third-party bad actors via “limited number of email accounts.”

In a letter that many news sites are reporting is directly from Carnival, the company says the data that was accessed includes “data routinely collected during the guest experience and travel booking process or through the course of employment.”

The letter goes on to say that the data could include names, addresses, phone numbers, passport numbers, birthdates, health information and in “some limited instances” social security numbers or national identification numbers. Carnival added that evidence suggests “a low likelihood” of the data being misused.

Two Years, Four Data Breaches

This is not the first time Carnival has disclosed a security breach. In an April 2021 Security Filing, Carnival noted that the company had been breached twice in 2020: August and December. While the company had previously announced the August attack, the December 2020 attack was previously undisclosed.

The August 2020 ransomware attack “accessed and encrypted a portion of one brand’s information technology systems.” Three brands were affected: Carnival Cruise Line, Holland America and Seabourn as well as casino operations.

And in March of 2020, the company disclosed that its Princess Cruises and Holland America brands were the victim of an email phishing attack in late May 2019. Deceptive emails were sent to employees which ultimately allowed a third-party to access employee email accounts. Within those accounts were employee and guest information, including: names, Social Security numbers, government identification numbers, such as passport numbers, national identity card numbers, credit card and financial account information, and health-related information.

The fact that Carnival has been hit three times in 12 months means some serious questions need to be asked on what this company is doing to protect its sensitive information,” says John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider. “At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks.”

Bad Timing

While announcing a data breach never comes at a “good time,” this is especially bad timing for the cruise industry.

“Just as cruisers are starting to book trips after a long shutdown due to COVID-19, Carnival is facing yet another cybersecurity issue,” says Erich Kron, security awareness advocate at KnowBe4. “The type of data and the sheer volume of it being collected by Carnival can be very valuable to attackers, so it is no big surprise they have been a target. Most large cruises, by their very nature, tend to visit ports in foreign countries, so they must collect sensitive information to be used for customs preparation and other purposes related to the travel. This includes social security numbers, passport numbers, full names, addresses, phone numbers and much more -- all data that could be easily used to steal identities or open accounts in potential victims' names.”

An Ounce of Prevention…

According to Kron, these attacks often start via email phishing. Carnival’s first reported security breach was of this nature and happened in May 2019 and its March 2021 attack. He recommends that organizations invest in high-quality email filtering and an employee training program that focuses on spotting email phishing attacks and proper password hygiene.

“In addition, investing in DLP (Data Loss Prevention) solutions and enabling 2FA (Two-Factor Authentication) on accounts would be wise as well,” Kron adds.

This ad will auto-close in 10 seconds