Officials for the cruise lines, both owned by parent company Carnival Corp., said in May 2019 they identified suspicious activity on their servers and launched an investigation with the help of cybersecurity forensics experts. The investigation found that hackers had gained access to employee email accounts containing sensitive information about employees, guests and crew members. The exposed personal data included:
- Social Security numbers (SSNs)
- Government identification numbers
- Passport numbers
- Driver’s license numbers
- National identification numbers
- Credit card and financial account information
- Health information
The exposed information was not identical between individuals, and affected parties may have had some or all of this information exposed – the list is not specific to every guest.
Officials said the cruise lines acted to shut down the attack and prevent further exposure. Neither Carnival nor the individual cruise lines have indicated how many individuals may have been affected. The data breach was reported to law enforcement and affected individuals are being notified, officials said.
According to the statements, there is currently no evidence of misuse of the stolen information. However, any data breach involving SSNs means that with a few other key pieces of information, such as names and addresses, criminals can commit identity theft, attempt phishing scams and commit other fraud. With this stolen information, criminals can open fraudulent accounts in the names of cruise line guests, employees and crew.
The announcement of the data breach comes at a troubling time for the cruise line industry as it has been forced to suspend operations since the outbreak of the coronavirus pandemic. The industry has been one of the hardest affected since the coronavirus has spread globally after originating in the city of Wuhan in China.