Princess Cruises, the cruise line owned by Carnival Corporation & plc. that stopped their global operations after the outbreak of coronavirus in two of their ships, have now confirmed they suffered a major security breach that spanned three months last year.
In the notice of a potential data breach published on their website, Princess Cruises have confirmed that in May 2019 they identified suspicious activity in their network. The incident involved unauthorised access to multiple employee email accounts in the period of 11 April – 23 July 2019. Some of the emails contained personal information of guests, crew, and employees.
Princess Cruises said that the data security incident potentially compromised the name, address, Social Security Number, passport number, driver's license number, credit card, and financial account information, and health-related information. This data leak was not specific to each guest and the company does not have any evidence of misuse of this personal information so far.
Princess Cruises have confirmed that apart from their ongoing investigation, they have also reported this incident to the law enforcement. Furthermore, they are reviewing their security policies and implementing changes to enhance their security program. The security incident also impacted employees working for Holland America Lina, another travel company owned by Carnival Corporation.
Jonathan Knudsen, senior security strategist at Synopsys, told TEISS that news of the data breach at Princess Cruises makes one thing perfectly clear: all businesses are software businesses. Regardless of specifics, software is part of the underlying critical infrastructure that supports every business.
"Businesses of all types are realising that software is critical infrastructure. When software fails, the consequences can be severe, ranging from inconvenience and expense all the way up to reputation damage and loss of business continuity.
"A proactive, security-forward culture is the best way to minimise risk. This means thinking about security in all initiatives, large and small. Ongoing security education is important, but it is just as important to incorporate security into the design of network infrastructure, internal software systems, and business processes, not to mention making security a first-class citizen when procuring software and systems," he added.