Cyber Incident Victim: Carnival Corporation
Date:
Mar 2021
Location:
United States of America
Summary
Carnival Corporation experienced unauthorized access to portions of its IT systems, including a limited number of email accounts, compromising personal, financial, and health information of customers, employees, and crew. Exposed data encompassed names, addresses, phone numbers, passport details, birth dates, health records, and in some cases, Social Security or national identification numbers. The company warned affected individuals about potential data misuse despite assessing the likelihood as low, marking another cybersecurity incident following prior ransomware attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Carnival Corporation, identified as the world's largest cruise ship operator with nine cruise line brands and a travel tour subsidiary, disclosed a data breach stemming from unauthorized third-party access detected on March 19, 2021. The intrusion targeted a limited number of corporate email accounts and restricted segments of the company's information technology infrastructure. This unauthorized access compromised personal, financial, and health information belonging to customers, employees, and crew members across Carnival's global operations. Specific data categories exposed included full names, physical addresses, telephone numbers, passport numbers, dates of birth, and health-related information. A subset of affected individuals also had additional sensitive identifiers exposed, such as Social Security numbers in the United States or equivalent national identification numbers in other jurisdictions. Carnival's Senior Vice President and Chief Communications Officer, Roger Frizzell, publicly confirmed the breach but emphasized the limited scope of systems accessed. The company initiated internal investigations following detection and notified regulatory authorities in compliance with data protection obligations.
This incident marked the third significant cybersecurity event disclosed by Carnival within a ten-month period. Prior breaches included a ransomware attack in August 2020 that compromised personal data of 37,500 individuals, followed by a separate ransomware intrusion in December 2020 that remained under active investigation at the time of the March 2021 breach disclosure. Forensic analysis of the March incident revealed evidence suggesting a low probability of actual misuse of the stolen data, though Carnival nonetheless issued formal breach notifications to all potentially affected parties. The notifications detailed the types of exposed information and advised vigilance against potential identity theft or phishing attempts. No operational disruptions to cruise services were publicly linked to this breach, contrasting with the ransomware incidents that had previously disrupted business functions. Carnival's response focused on securing compromised systems, assessing data exposure breadth, and fulfilling legal notification requirements without disclosing specific remediation measures or technical details of the attack vector.