On a scale of 1-10, where 10 was an ‘oh shit’ moment, the Carnival Cruise hack rates an 11!
The Carnival Crusie hack includes personal information about customers, employees and crew on Carnival Cruise Line, P&O Australia, Holland America Line, Cunard, AIDA, Seaborn, Costa, Princess Cruises, Dutch America Princess Alaska Tours and its medical operations.
In mid-March, an unauthorized third party accessed certain personal information related to some guests, employees, and crew. Affected information includes data regularly collected through: the guest experience; travel booking process; employment process; or service to the company, including COVID and other safety tests. There is evidence indicating a low likelihood of the data misuse
Carnival Cruises SVP and Chief Communications Officer Roger Frizzell stated,
Carnival Cruises won’t comment on how many people are affected by the hack. However, in a letter to customers, it indicated that outsiders might have gained access to Social Security numbers, passport numbers, dates of birth, addresses and health information. In other words, everything you have to give Carnival to make a booking and take a cruise.
The latest hack comes hot on the heels of two ransomware attacks, but it is unknown if these are related. The company is not commenting on the scope of the breach nor the time period affected. But it employs more than 150,000 people in approximately 150 countries. It provides leisure travel to about 13 million guests each year.
Carnival Cruises hack – why, how?
BleepingComputer speculates that a phishing email loaded the ransomware last year. It was able to download a sleeper trojan that moved freely around the Carnival Cruises network identifying targets of interest. Carnival has hired an unnamed cybersecurity firm to investigate.