Carnival Cruise Lines Hit Again with Another Cyberattack and Data Breach

 For the fourth time in barely a year, Carnival Cruise lines are hit again with a cyberattack and suffer a major data breach.

What Happened?

First reported by Bleeping Computer on June 17, Carnival Cruise Lines filed a breach notification that hackers had once again accessed email accounts, IT systems, financial, personal, and health information for its customers, crew, and employees.

Carnival is one of the most prominent recreational cruise lines in the world, with more than 150,000 employees operating in 150 countries. Annually they serve about 13 million guests.

According to Bleeping Computer, “The company operates nine of the world’s leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours).”

In a data breach notification Carnival Cruise Lines sent to its customers, the company said, “Unauthorized third-party access to a limited number of email accounts was detected on March 19, 2021.”

What Information Was Breached?

Carnival’s SVP & Chief Communications Officer, Roger Frizzel, told Bleeping Computer that hackers only gained access to “limited portions of its information technology systems.”

“It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew.”

“The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing.”

The information accessed includes names, addresses, phone numbers, passport numbers, dates of birth, health information. In addition, some guests’ social security or other national identification numbers may have also been accessed.

The information stolen is plenty for hackers to use for identity theft and fraud, but Carnival Cruise Lines warned of “a low likelihood of the data being misused.”

A Pattern of Abuse

This most recent incident is the fourth in just about a year. The last ransomware attack occurred in August 2020, affecting roughly 37,500 customers and employees.

The company experienced another data breach in March 2020 that exposed customers’ personal and financial data.

Another ransomware attack occurred in December 2020. After the December attack, Carnival Cruise Lines said, “There is currently no indication of any misuse of information potentially accessed or acquired, and we continue to work with regulators to bring these matters and other reportable incidents to conclusion.”

Carnival Cruise Lines is obviously an easy target that has not taken any steps to remediate the problem and protect the data and personal information of its customers, crew, and employees.

Both of the ransomware attacks left IT systems inoperable, forcing the company to reschedule some cruises.

How Can Cruise Customers Safeguard Their Information?

When using services like a cruise vendor, customers must share some information with the company. However, these incidents show how vulnerable that information can be when safeguarded by a company without proper security in place. Some ways cruise customers can stay safe are:

• After a data breach where you are notified that your information was exposed, sign up for credit and identity theft monitoring.
• Get an annual copy of your credit report and review it carefully.
• Keep a close eye on monthly bank and credit card statements.
• Watch out for signs of identity theft or fraud.
• Always use strong passwords.
• Never reuse passwords on multiple accounts.
• Give out only basic personal information when necessary.
• Watch out for phishing emails (especially after a data breach).
• Change all your passwords after a data breach.
• Keep good antivirus/anti-malware software running on all your devices.
• Use common sense, and if anything sounds too good to be true, it probably is, walk away.