The company operates nine of the world's leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours).
Data misuse risk warning
"Unauthorized third-party access to a limited number of email accounts was detected on March 19, 2021," the cruise line operator giant says in a data breach notification letter recently sent to affected customers.
However, Carnival's SVP & Chief Communications Officer Roger Frizzell told BleepingComputer after the article was published that the attackers gained access to "limited portions of its information technology systems."
"It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew.
"The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing."
According to Carnival, the accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information like Social Security or national identification numbers.
The cruise line operator also warned impacted customers, employees, as well as Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations crew that they found evidence indicating "a low likelihood of the data being misused."