7/26/2023 0 Comments Carnival data breach 2021Fourth Leak in Carnival’s Hull Over 15 Months In its data breach notification, sent on Thursday, the company added that there is evidence indicating “a low likelihood of the data being misused.”Īccording to the letter, the improperly accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information such as Social-Security or national-identification numbers. “The impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing.” “It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees and crew,” Frizzell reportedly said. In a data breach notification letter sent to affected customers and first spotted by BleepingComputer, Carnival said that “unauthorized third-party access to a limited number of email accounts” was detected in mid-March.īut Carnival’s SVP and chief communications officer Roger Frizzell later told the news outlet that the attackers also gained access to “limited portions of its information technology systems.” It also operates Holland America Princess Alaska Tours, a tour company that sails around Alaska and the Canadian Yukon. The company did not respond to a request for comment.Carnival Corp., the world’s largest cruise-ship operator, has sprung another leak: For the second time in a year, attackers have breached email accounts and accessed personal, financial and health information belonging to guests, employees and crew.Ĭarnival has quite the armada: Its cruise brands include Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK) and Cunard. The penalty follows Carnival’s $1.25 million settlement with 45 state attorneys general and the District of Columbia stemming from its 2019 data breach. “DFS will continue diligently enforcing its first-in-the-nation cybersecurity regulation to ensure that consumers’ personal, nonpublic, and sensitive data are protected.” It is critical that companies take appropriate action to protect consumers’ personal information,” said NYDFS Superintendent Adrienne Harris. “A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. Carnival agreed to surrender its insurance licenses and cease selling insurance in New York. The company failed to report the first incident for 10 months, implement multi-factor authentication within its internal email policy, and properly train employees on cybersecurity best practices, violating the NYDFS’s cybersecurity regulation.Īs a result of these failures, the company’s cybersecurity compliance certifications for the calendar years 2018 through 2020 were improper, according to the regulator.Īt the time of the incidents, Carnival was a licensed insurance producer in New York, sold various insurance products, and was subject to the NYDFS’s cybersecurity regulation. Three additional breaches were reported by Carnival between August 2020 and March 2021, including two ransomware attacks and a phishing scheme. According to a consent order agreed to with Carnival and its subsidiaries (Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines), the company in April 2020 reported a 2019 cybersecurity event to the department in which “one or more unauthorized parties had gained access to 124 employee email accounts.”Īfter an internal investigation by Carnival, the company believed this first cyberattack occurred “due to a phishing email or password spray attack,” per the consent order.
0 Comments
Leave a Reply. |