Home Cyber Crime Carnival Cruise hit by data breach, warns of data misuse risk

Carnival Cruise hit by data breach, warns of data misuse risk


Carnival Cruise hit by data breach, warns of data misuse risk

Carnival Company, the world’s largest cruise ship operator, has disclosed a knowledge breach after attackers breached some electronic mail accounts and accessed private, monetary, and well being data belonging to prospects, staff, and crew.

Carnival is included in each S&P 500 and FTSE 100 inventory market indices, has greater than 150,000 staff in roughly 150 nations, and supplies leisure journey to roughly 13 million company annually.

The corporate operates 9 of the world’s main cruise line manufacturers (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a journey tour firm (Holland America Princess Alaska Excursions).

Information misuse threat warning

“Unauthorized third-party entry to a restricted variety of electronic mail accounts was detected on March 19, 2021,” the cruise line operator large says in a data breach notification letter lately despatched to affected prospects.

“It seems that in mid-March, the unauthorized third-party gained entry to sure private data referring to a few of our company, staff, and crew.

“The impacted data consists of knowledge routinely collected through the visitor expertise and journey reserving course of or by means of the course of employment or offering providers to the Firm, together with COVID or different security testing.”

In response to Carnival, the accessed data included names, addresses, cellphone numbers, passport numbers, dates of delivery, well being data, and, in some restricted situations, further private data like Social Safety or nationwide identification numbers.

The cruise line operator additionally warned impacted prospects, staff, and crew that they discovered proof indicating “a low probability of the information being misused.”

A Carnival spokesperson was not obtainable for remark when contacted by BleepingComputer earlier at the moment for clarification on the explanation behind this warning and extra particulars on the incident.

Hit by ransomware twice in a single 12 months

BleepingComputer beforehand reported {that a} ransomware assault additionally hit Carnival in August 2020, an incident confirmed by the cruise line operator in an 8-Okay kind filed with the US Securities and Trade Fee (SEC).

Two months later, Carnival mentioned in a separate SEC filling the ransomware gang behind the August assault gained access to the personal information of each prospects and staff through the assault.

Roughly 37,500 people have been impacted affected by the August ransomware assault, in accordance with data filed by Carnival with the Workplace of Maine’s Legal professional Basic.

The August ransomware assault got here after a data breach disclosed in March 2020 that additionally led to the publicity of prospects’ private and monetary data after menace actors gained entry to Carnival staff’ electronic mail accounts.

In December 2020, Carnival was hit by a second (beforehand undisclosed) ransomware assault with “investigation and remediation phases” nonetheless ongoing, in accordance with a 10-Q form filed with the SEC in April 2021.

“There’s at present no indication of any misuse of data doubtlessly accessed or acquired and we proceed to work with regulators to carry these issues and different reportable incidents to conclusion,” Carnival mentioned in regards to the December 2020 ransomware incident.

BleepingComputer reported on the time that the German cruise line and Carnival subsidiary AIDA Cruises was dealing with mysterious “IT restrictions” that led to the cancellation of their New Yr’s Eve cruises.

Costa Crociere, one other Carnival subsidiary, was additionally affected by an IT outage across the December ransomware assault that prevented prospects from reserving journeys through the cruise line’s on-line reservation system.

AIDA Cruises, Costa Crociere, and Carnival Company didn’t reply to BleepingComputer emails relating to the disruptions and journey cancellations.

Source link