Recently, the U.S. Centers for Disease Control and Prevention (CDC) gave a green signal to Carnival Cruise Line to commence operations on the condition of meeting health safety protocols for its passengers. This came as a pleasant respite to the cruising industry, which had been grounded since COVID-19 ravaged through the Diamond Princess Cruise docked at the Yokohoma port in Japan. Many attributed this ship as the “Linchpin” for the spread of the virus and thus wished to stay away from such cruises. However, just when the light was finally appearing at the end of the tunnel, Carnival Cruise has been pushed back again; this time not with a biological virus but a cyberspace virus.
The world’s largest cruise ship operator has disclosed a data breach incident that took place in March and impacted an unknown number of customers, employees, and crew members of the fleet that includes Carnival Cruise Line, Holland America Line, and Princess Cruises. The data breach first came to light when the cruise line fired a notification mail to its customers. As per the notification, the company had detected unauthorized third-party access to a “limited number” of email accounts on March 19.
The data breach leaked the following information:
- Data collected during the guest experience and travel booking process
- Employment data of its employees
- COVID and other safety test results of its employees and crew members
These data sets include “names, addresses, phone numbers, passport numbers, dates of birth, health information and in some limited instances additional personal information such as Social Security or national identification numbers.”
Incidentally, this is not the first time that Carnival Cruise Line has been under the radar of cybercriminals. In March 2020, a similar data breach incident rocked the cruise line, which was later followed by a ransomware attack in August 2020. During the ransomware incident, the company did not confirm the operators, or the amount of data compromised, but only said that some of its data files were “partly encrypted.”
However, Chris Hauk, Consumer Privacy expert at Pixel Privacy, said that it was “a case of a company not taking the steps to properly defend their networks against the bad actors of the world. As mentioned by cybersecurity firm Bad Packets, Carnival failed to patch its edge gateway devices and firewalls, even though patches have been available to fix both issues since earlier this year.”
Looking at the recurrence of these incidents, maybe Carnival Cruise Line should take its vulnerability management and threat detection programs more seriously, if not already. For the moment though, the firm has offered free credit monitoring and identity theft detection for 18 months to those affected by the latest data breach incident.