Carnival acknowledged a cybersecurity incident after an attacker accessed part of its IT infrastructure last month after compromising an employee's account. At the end of April, the shipping company also confirmed that the intruder copied personal information stored in its systems.
The breach affects almost six million people, according to a document filed with the Maine Attorney General's Office. The scope contrasts with the company's recent history, which suffered a leak in 2019 and another of smaller scope in 2021, while maintaining normal commercial activity in ports such as Barcelona, Valencia, Malaga, and Palma de Mallorca.
The intrusion exposed passports, phones, and dates of birth
Among the compromised data are names, addresses, emails, phone numbers, dates of birth, driver's licenses, and passports. The company has not detailed how many affected individuals correspond to each market or brand within the group in this data.
The incident occurred after the ransomware group ShinyHunters attempted to extort the company in April. That same group published samples of the stolen information and initially estimated the total volume at 8.7 million records.
Carnival stated in a press release that it acted quickly to block unauthorized activity and immediately began working with external specialists.
"We acted quickly to block unauthorized activity and immediately began working with external security experts to further strengthen our security and conduct a thorough investigation" - Carnival, shipping company
Barcelona maintains departures and calls for four group brands
The incident affects a company with a direct presence in cruise traffic linked to Catalonia. Costa Cruises schedules annual departures from Barcelona, as does Princess, while Holland America Line frequently embarks and disembarks in the Catalan capital and Cunard also departs from the port of Barcelona.
Princess operates routes with calls in Cadiz or Vigo. Holland America Line adds overnight stays and stops in Malaga, Alicante, or Cartagena, and Cunard includes calls in Vigo or Cadiz within its itineraries.
With more than 90 ships worldwide, Carnival is also the parent company of Princess, Holland America Line, Cunard, and Costa Cruises. This international dimension expands the potential reach of a leak that includes identification documents and personal contact details.
The company had already suffered two breaches in recent years
In 2019, the shipping company registered a leak that exposed information of about 180,000 customers and employees. That episode ended with a fine of 1.25 million dollars imposed by regulators.
Two years later, in 2021, Carnival reported another smaller-scale breach linked to email accounts. The new incident now raises the number of people with compromised information to almost six million, according to documentation submitted to the Attorney General of Maine.