Carnival Confirms Data Breach Affecting Nearly 6 Million People
Carnival, one of the world's largest cruise operators, has confirmed a data breach that affects nearly 6 million people. The breach occurred in April when hackers gained access to a limited portion of the company's IT environment after compromising an employee account.
The stolen data varies by individual but includes names, addresses, email addresses, phone numbers, dates of birth, driver's license numbers, and passport numbers. Carnival did not disclose the exact number of people affected, but a filing with Maine's attorney general's office indicates that nearly 6 million individuals may have had their information exposed.
Response to the Breach
Carnival said it acted swiftly to block the unauthorized activity and immediately began working with third-party security experts to further strengthen its security and conduct a thorough investigation. The company has not publicly attributed the attack to the ShinyHunters hacking group, which claimed responsibility for the breach and attempted to extort the company to prevent the information from being published.
ShinyHunters released what it said were 8.7 million records on its leak site, including data allegedly tied to the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands. Carnival acknowledged a phishing incident involving a single user account in April and said it was investigating the scope of the unauthorized activity.
Timeline of the Breach
The breach occurred in April, and Carnival determined that the attacker had copied personal information from its systems by the end of the month. The company took a month to publicly confirm the breach, explaining that complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to.
ShinyHunters' History of Cyberattacks
ShinyHunters is known for high-profile data theft and extortion campaigns targeting large organizations. The group has recently claimed responsibility for a breach at analytics company Mixpanel and has been linked to substantial ransom payments from companies after stealing data through compromises involving Salesforce environments.
The FBI warned earlier this year that hackers linked to ShinyHunters were demanding ransom payments from companies after stealing data. Carnival has experienced data breaches in the past, including a breach in 2019 that exposed information belonging to approximately 180,000 customers and employees, for which regulators later fined the company $1.25 million.
Previous Breaches
Carnival also reported another breach in 2021 involving unauthorized access to a limited number of email accounts. The company operates more than 90 ships worldwide and serves millions of passengers annually, making it a high-profile target for cyberattacks.
Carnival owns brands including Princess Cruises, Holland America Line, Cunard, and Costa Cruises. The company's data breach is a reminder of the importance of cybersecurity in the hospitality industry, where sensitive customer information is often at risk.
- Carnival confirmed a data breach affecting nearly 6 million people.
- The breach occurred in April when hackers gained access to a limited portion of the company's IT environment.
- Stolen data includes names, addresses, email addresses, phone numbers, dates of birth, driver's license numbers, and passport numbers.
- ShinyHunters claimed responsibility for the breach and attempted to extort the company to prevent the information from being published.
Source: The Record