Carnival Corporation – which has been plagued by cyberattacks over the past few years – issued a breach disclosure on Thursday confirming hackers attacked email accounts and gained access to data about its customers and employees.
In a data breach notification letter sent to affected customers, Carnival said that on March 19 it detected that an unauthorized third-party had access to a limited number of email accounts.
The data accessed included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information like social security or national identification numbers.
According to Carnival, the impacted information includes “data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or other safety testing."
Interestingly, the letter from Carnival said there was a “low likelihood” of the data being misused.
The news raised some eyebrows, because Carnival has been hit by multiple cyberattacks since 2019, including a ransomware incident last summer. The company operates many of the leading cruise lines, including Carnival Cruise Line and Princess Cruises.
Just as cruise lines are starting to book trips after a long shutdown because of COVID-19, Carnival faces yet another cybersecurity issue, said Erich Kron, security awareness advocate at KnowBe4. Kron added that based on the type of data and the sheer volume it collects, it’s not a surprise they were attacked; Carnival captures some very valuable data to attackers.
“Most large cruises, by their very nature, tend to visit ports in foreign countries, so they must collect sensitive information to be used for customs preparation and other purposes related to the travel,” Kron said. “These types of attacks are often started through email phishing attacks, so organizations that wish to avoid the same issues as Carnival would be wise to invest in high-quality email filtering and an employee training program focused on spotting email phishing attacks and proper password hygiene.”
John Bambenek, threat intelligence adviser at Netenrich, pointed out that the fact that Carnival has been hit three times in the past several months means the company needs to ask some serious questions on what it’s doing to protect its sensitive information. “At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks,” Bambenek said.