Cyber Incident Victim: Carnival Corporation
Date:
Apr 2019
Location:
United States of America
Summary
Carnival Corporation experienced unauthorized access to employee email accounts at its Princess Cruises and Holland America subsidiaries, compromising extensive personal data including names, Social Security numbers, passport details, addresses, credit card information, and health records. The breach was assessed as posing significantly elevated risk compared to typical incidents, with exposed individuals facing heightened threats of identity theft and financial fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Carnival Corporation, the parent company of Princess Cruises and Holland America Line, experienced a cybersecurity incident involving unauthorized access to employee email accounts between April 11 and July 23, 2019. The breach exposed sensitive personal information belonging to customers and potentially employees, including names, addresses, Social Security numbers, passport details, credit card information, and health records. This data compromise affected multiple Carnival-owned cruise brands and spanned over three months before being contained. The incident was publicly disclosed by Carnival in March 2020, nearly eight months after the unauthorized access period concluded. Breach Clarity, a cybersecurity risk assessment service, assigned this breach a severity rating of 'seven' on their scale, significantly higher than the average risk level for similar data exposure events. The extended duration of unauthorized access increased potential misuse opportunities for stolen data.
In response to the breach, Carnival Corporation offered affected individuals complimentary credit monitoring services through MyIDCare, available for enrollment until June 1, 2020. The company advised victims to replace exposed credit cards and government-issued identification documents, implement credit freezes with major bureaus to prevent new account fraud, and change account passwords using unique passphrases. Carnival also recommended establishing extended fraud alerts on credit reports as an additional protective measure. The incident's consequences included elevated risks of identity theft and financial fraud due to the comprehensive nature of exposed personally identifiable information and protected health data. No specific details regarding the number of affected individuals or the exact method of initial intrusion were disclosed in available reports. The breach impacted customers across multiple Carnival cruise brands through compromised employee email systems that contained passenger information.