Carnival Cruise Lines Springs Another Data Leak; Over 13M Possibly Affected

The world’s largest cruise ship operator announced its fourth data breach in just over one year. Carnival Corporation, owner of several popular cruise lines including Carnival Cruise Line, Holland America Line, and Princess Cruises, says it acted quickly to “shut down the event and prevent further unauthorized access.” That may be cold comfort to those cruise guests, employees and crew who had their email addresses and sensitive information stolen in the breach. The extent of the data leak could be massive since the company sails nearly thirteen million cruise-goers a year and has over 150,000 employees the world over. Of the now four security events at Carnival Corporation, two were ransomware attacks.

That Sinking Feeling

The data breach couldn’t have worse timing as Americans are getting back to life post-coronavirus, with many looking to seaward vacations. In their data breach notification letter sent to those affected, the company admits the stolen data includes not only email addresses, but also names, addresses, phone numbers, passport numbers, date of birth, health information, and in some cases Social Security and national identification numbers. Realistically, the extensive information stolen by what Carnival calls “an unauthorized third-party” can lead to numerous attacks on victims including identity and financial theft, phishing and malware attacks and more.

Leaky Data Protection

With two ransomware attacks and two data breaches under its belt, security experts wonder why Carnival company is still inept at keeping its data secured. By now the company has to know it has a bulls-eye on its bow, so what are they doing to prevent the next attack? The answer to that question remains murky. Attacks against the company are happening as more travelers make vacation plans, and the data Carnival collects is a prime target for theft. However, Carnival isn’t alone in that as the travel industry in general is now ripe for the picking. There’s every reason to believe cyberattacks will continue and likely ramp-up as all types of travel continue to flourish.

Hope Floats

With Carnival Corporation continuing to lack effective data security, a privacy champion from Pixel Privacy points out what the company needs to do to help prevent an unauthorized third-party from stealing data – again. Quite simply, Carnival, as well as all organizations, needs to make sure all systems and security patches are updated, and cyber-educating employees to the risks of email phishing can go a long way. Remember, all it takes is for one employee to click on a malware attachment or follow an infected link for a cyberattack to let loose.

In a data breach notification letter, Carnival states “There is evidence indicating a low likelihood of the data being misused.” Let’s hope they’re right.

Stickley on Security