Carnival Corp says its guests’ and employees’ personal data may have been impacted in a data breach first discovered on March 19, a company spokesperson told Insider in an email statement on Friday.
In response to the breach, Carnival “shut down the event,” informed regulators, and called on a cybersecurity company to look into the attack. The investigation later found that information on guests, crew members, and employees with Carnival Corp and several of its brands — Carnival, Holland America, Princess, and “medical operations” — were impacted by the “third party access to limited portions of its information technology systems,” according to the spokesperson.
Personal information like Social Security and passport numbers, addresses, and health data may have been accessed during the breach, the Associated Press reported.
However, “there is evidence indicating a low likelihood of the data being misused,” the spokesperson told Insider. Carnival has since contacted the people who may have been affected by the data breach, and has created a call center to field any questions.
“As part of its ongoing operations, the company is continuing to review security and privacy policies and procedures and has been implementing changes as needed to enhance our information security and privacy program and controls,” the spokesperson said.
Carnival saw two ransomware attacks in August and December of 2020, the company reported in April.