Carnival Corporation, the world's largest operator of cruise lines, has confirmed that the ransomware attack that struck its systems in August, resulted in the compromise of personal information of guests, employees, and crew.
In August, Carnival Corporation disclosed in a filing with the U.S. Securities and Exchange Commission that one of its brands suffered a ransomware attack that resulted in hackers gaining access to internal IT systems, encrypting a portion of the systems, and stealing the personal data of guests and employees.
"Based on its preliminary assessment and on the information currently known (in particular, that the incident occurred in a portion of a brand’s information technology systems), the Company does not believe the incident will have a material impact on its business, operations or financial results," Carnival stated in the filing.
"Although we believe that no other information technology systems of the other Company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company’s brands will not be adversely affected," it added.
The company also stated that as soon as the ransomware attack was detected, it launched an investigation, notified law enforcement authorities, and engaged legal counsel and other incident response professionals. Carnival Corporation is also working with industry-leading cybersecurity firms "to immediately respond to the threat, defend the Company’s information technology systems, and conduct remediation."
Recently, the cruise line giant, which operates a number of renowned cruise line brands such as Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, AIDA Cruises, Costa Cruises, and P&O Cruises in the UK and Australia, said the August ransomware attack resulted in hackers gaining access to the personal information of a number of guests, employees, and crew.
"While the investigation is ongoing, early indications are that in early August an unauthorised third-party gained access to certain personal information relating to some of our guests, employees, and crew. For individuals who sailed with us, the information impacted may include the data routinely collected during the guest travel booking process, during the casino experience, or at the time of employment.
"That information may include names, addresses, phone numbers, passport numbers, and dates of birth. The investigation into the specific data impacted is ongoing, but in some limited instances, we anticipate additional information impacted may include data such as Social Security numbers, health information, or other personal information," Carnival said.
"We are working as quickly as possible to identify the guests, employees, crew and other individuals whose information may have been impacted. We expect to complete this process within the next 30-60 days and will then send notifications to potentially affected individuals whose current contact information is available to the company. Along with those individual notices, affected individuals will be offered complimentary credit monitoring, as appropriate," it added.
The cruise line company also announced in a separate press release that the ransomware attack on its IT systems affected three cruise lines, namely Carnival Cruise Line, Holland America Line, and Seabourn, as well as the company's casino operations. It added that working with cyber security consultants, it "took steps to recover its files and has evidence indicating a low likelihood of the data being misused."