[BreachExchange] Carnival Cruise hit by data breach, warns of data misuse risk

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Fri Jun 18 11:43:12 EDT 2021 

https://www.bleepingcomputer.com/news/security/carnival-cruise-hit-by-data-breach-warns-of-data-misuse-risk/

Carnival Corporation, the world's largest cruise ship operator, has
disclosed a data breach after attackers gained access to some of its IT
systems and the personal, financial, and health information belonging to
customers, employees, and crew.

Carnival is included in both S&P 500 and FTSE 100 stock market indices, has
more than 150,000 employees in roughly 150 countries, and provides leisure
travel to roughly 13 million guests each year.

The company operates nine of the world's leading cruise line brands
(Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises,
Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour
company (Holland America Princess Alaska Tours).

Data misuse risk warning

"Unauthorized third-party access to a limited number of email accounts was
detected on March 19, 2021," the cruise line operator giant says in a data
breach notification letter recently sent to affected customers.

However, Carnival's SVP & Chief Communications Officer Roger Frizzell told
BleepingComputer after the article was published that the attackers gained
access to "limited portions of its information technology systems."

"It appears that in mid-March, the unauthorized third-party gained access
to certain personal information relating to some of our guests, employees,
and crew.

"The impacted information includes data routinely collected during the
guest experience and travel booking process or through the course of
employment or providing services to the Company, including COVID or other
safety testing."

According to Carnival, the accessed information included names, addresses,
phone numbers, passport numbers, dates of birth, health information, and,
in some limited instances, additional personal information like Social
Security or national identification numbers.

The cruise line operator also warned impacted customers, employees, as well
as Carnival Cruise Line, Holland America Line, Princess Cruises, and
medical operations crew that they found evidence indicating "a low
likelihood of the data being misused."

Hit by ransomware twice in one year

BleepingComputer previously reported that a ransomware attack also hit
Carnival in August 2020, an incident confirmed by the cruise line operator
in an 8-K form filed with the US Securities and Exchange Commission (SEC).

Two months later, Carnival said in a separate SEC filing the ransomware
gang behind the August attack gained access to the personal information of
both customers and employees during the attack.

Roughly 37,500 individuals were affected by the August ransomware attack,
according to info filed by Carnival with the Office of Maine's Attorney
General.

The August ransomware attack came after a data breach disclosed in March
2020 that also led to the exposure of customers' personal and financial
info after threat actors gained access to Carnival employees' email
accounts.

In December 2020, Carnival was hit by a second (previously undisclosed)
ransomware attack with "investigation and remediation phases" still
ongoing, according to a 10-Q form filed with the SEC in April 2021.

"There is currently no indication of any misuse of information potentially
accessed or acquired and we continue to work with regulators to bring these
matters and other reportable incidents to conclusion," Carnival said about
the December 2020 ransomware incident.

BleepingComputer reported at the time that the German cruise line and
Carnival subsidiary AIDA Cruises was dealing with mysterious "IT
restrictions" that led to the cancellation of their New Year's Eve cruises.

Costa Crociere, another Carnival subsidiary, was also affected by an IT
outage around the December ransomware attack that prevented customers from
booking trips via the cruise line's online reservation system.

AIDA Cruises, Costa Crociere, and Carnival Corporation did not reply to
BleepingComputer emails regarding the disruptions and trip cancellations.

Update: Added info provided by Roger Frizzell, Carnival's SVP & Chief
Communications Officer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210618/710851f2/attachment.html>

More information about the BreachExchange mailing list