Again: Another data protection incident at Carnival Cruise

Sicherheit (Pexels, allgemeine Nutzung)[German]The world's largest cruise operator, Carnival Cruise, has again been forced to admit to a data breach incident. For the second time in a year, attackers broke into email accounts and gained access to personal, financial and health information of guests, employees and crew.


Carnival operates an armada of ships under the Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK) and Cunard cruise brands. It also operates Holland America Princess Alaska Tours, a tour company that sails around Alaska and the Canadian Yukon. 

The problem with Carnival, however, is that within a year, the provider has already admitted to four data privacy incidents in which data got into the hands of unauthorized parties. In October 2020, I had reported within the blog post Cruise provider Carnival confirms ransomware attack with data exfiltration about a data leak following a ransomware attack. In the following tweet, Threadpost points out the latest data breach incident.

Datenschutzvorfall bei CarnivalCruise

In a notice to affected customers, Carnival said it detected "unauthorized third-party access to a limited number of email accounts" in mid-March. Carnival SVP and Chief Communications Officer Roger Frizzell later told a news agency that the attackers also gained access to "limited portions of information technology systems."

It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees and crew. The impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing.

In the data breach notification sent out last Thursday, the company added that there was evidence indicating a "low probability of data misuse." According to the notice, the tapped records include names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited cases, additional personal information such as social security or national identification numbers of the associated individuals.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *