Princess Cruises Data Breach

Founded in 1965, Princess Cruises rose to prominence in the late 1970s after being heavily featured on the hit TV show “The Love Boat” and is currently a leading name in the cruise industry. In 2020, Carnival Corporation, the parent company of Princess Cruises, announced that it had experienced a significant data breach that exposed sensitive passenger and employee information. 

With a global itinerary of over 330 cruise destinations across more than 100 countries on all seven continents, it is no surprise that bad-faith actors targeted Princess Cruises. As more businesses and organizations move their operations online and adopt digital technologies, cybercriminals' attack surface expands, providing more opportunities for breaches. Factors like ransomware evolution, advanced attack methods, and the surge in remote work have also contributed to a noticeable uptick in data breaches and ransomware attacks in the US (and globally), cutting across several industries. 

While Carnival Corp is no stranger to ransomware attacks, the Princess Cruises breach, which also affected its sister line, Holland America Line, represented its most significant data breach incident (and in the travel/cruise sector). Even though the company stated that it quickly “shut down the event” and took necessary steps to investigate the cause and stop further unauthorized access, it raised concerns about data security within the travel sector.

When Was the Princess Cruises Data Breach?

The Princess Cruises data breach was initially discovered in May 2019 when the company identified suspicious activity on its network. According to a notification letter sent to its customers and filed with the California Attorney General’s Office in March 2020, the company initiated an investigation to determine the exact nature and impact of the breach. This investigation revealed that a third party had gained unauthorized access to several employee email accounts that contained personal information on guests and crew members between April 11 and July 23, 2019. The exact nature of exposed data varied but included names, addresses, Social Security numbers, government identification numbers (passport and driver’s license numbers), credit card information, and health-related data. 

How to Check If Your Data Was Breached

Princess Cruises did not disclose the exact number of passengers and employees affected by the data breach when announcing the incident; however, it took steps to notify affected individuals and offered them free credit monitoring and identity theft detection services. Nonetheless, subsequent reports suggested that this single data breach incident affected over 180,000 Carnival Corp employees and customers nationwide. 

In situations where you do not receive a notification from a company about a data breach, you can take action on your own to determine if you may have been affected by monitoring your bank account activity for any unusual transactions. Be sure to report anything suspicious to the police and your card issuer, and be cautious of unsolicited emails or SMS messages during this time. 

What to Do If Your Data Was Breached

Following the data breach, Princess Cruises offered affected individuals free credit monitoring and identity theft detection services, including 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. 

If a data breach potentially impacts you, taking proactive steps to protect your personal information is essential. This can include updating passwords for any online accounts, especially those with the same credentials as the compromised email accounts, and monitoring your financial statements for unusual activity. You should also keep an eye out for any communications from the company regarding updates, further actions to take, and subsequent breaches or ransomware attacks, especially if you are a continuing cruise line customer. 

Are There Any Lawsuits Because of the Data Breach?

A multi-state investigation ensued after Carnival Corp publicly announced the data breach, focusing on the company’s email security practices and compliance with data breach statutes. The investigation was co-led by the Connecticut, Florida, and Washington Attorneys General, who were assisted by Alabama, Arizona, Arkansas, Ohio, and North Carolina, and joined by Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, Vermont, Georgia, Kentucky, Louisiana, Mississippi, South Carolina, Tennessee, Virginia, West Virginia, Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, South Dakota, Wisconsin, Colorado, Nevada, New Mexico, Oklahoma, Texas, Utah, Wyoming, Alaska, California, Hawaii, Idaho, Montana, and Oregon.

The main bone of contention was Carnival Corp’s failure to notify law enforcement and potential victims as soon as the breach was identified; instead, it waited approximately 10 months before reporting the incident. The investigation led to a $1.25 million settlement in June 2022 and the company agreeing to several provisions to strengthen its email security and breach response practices moving forward, such as:

• Implementing and maintaining a breach response and notification plan 
• Undergoing an independent information security assessment
• Providing email security training for its employees
• Maintaining enhanced behavior analytics tools to log and monitor potential security events on the company's network
• Requiring multi-factor authentication for remote email access
• Improving its password policies and procedures 

Can My Princess Cruises Information Be Used for Identity Theft?

Yes, the information exposed in the Princess Cruises data breach can potentially be used for identity theft (even though the company stated that it had no reason to suspect that was the case). The compromised data included highly sensitive private personal information (PPI) that cybercriminals could also use for fraud and scams. 

What Can You Do to Protect Yourself Online?

In our increasingly digital world, personal data is often shared online with various entities. The Princess Cruises data breach underscores the critical need for vigilance when sharing personal information, especially for those who frequently travel or embark on leisure trips. Here are some proactive measures to safeguard your information online and protect yourself from cybercriminals looking to use this information for nefarious purposes:

• Create strong, unique passwords for each of your online accounts. Avoid using easily guessable information such as birthdays or common words.
• Enable two-factor authentication (2FA) on your online accounts whenever possible. This adds an extra layer of security to the account.
• Regularly check your credit reports and consider investing in credit monitoring services. You should also periodically review your bank account and credit card statements for unauthorized transactions and contact your financial institution immediately if you notice any suspicious activity.
• Be wary of phishing emails and links. Do not click on links or download attachments from unknown or suspicious sources.
• Never offer private personal or financial information to unknown requesters.
• Keep your operating systems, browsers, and software up to date with the latest security patches. This helps protect against vulnerabilities that cybercriminals can exploit.
• Install and maintain reputable antivirus and antimalware software on your devices.
• Stay informed on the latest cybersecurity threats and best practices. Platforms like IDStrong offer regular updates on these topics, providing a convenient tool to educate and protect yourself from cyber threats.