Carnival Data Breach Exposes Data of Nearly 6 Million Customers
Carnival’s latest cyber breach lands with an uncomfortable sense of déjà vu, as the world’s biggest cruise operator again finds itself explaining how customer data slipped into criminal hands.
The company has confirmed a cyber incident affecting its systems that has exposed personal information belonging to nearly 6 million customers. The disclosure follows claims by the ShinyHunters group that it stole millions of records and terabytes of corporate data in an April intrusion.
For Carnival, the incident adds to a growing number of cybersecurity incidents the company has suffered. That backdrop matters because it raises questions about whether lessons from repeated cyber incidents are translating into stronger defenses or if threat actors are simply getting smarter.
Another ShinyHunters breach impacts millions
According to a filing made with the Maine Attorney General’s Office, the incident occurred on April 10 but wasn’t noticed until four days later, on April 14. Upon detecting the unauthorized activity, the company launched an investigation and blocked further access to its systems.
However, it wasn’t until April 22 that it was determined that personal data had actually been exfiltrated from its systems.
While the company hasn’t named any culprits yet, the ShinyHunters hacking group has claimed responsibility for the breach, saying it stole more than 8.7 million customer records, including personally identifiable information and terabytes of company data.
In a notification sent to the 5,995,277 affected customers, Carnival notes that the threat actors compromised an employee’s account through social engineering. Using the compromised account, the threat actors accessed “a limited portion of the Company’s IT system.”
Although many cyberattacks begin with a form of social engineering, ShinyHunters in particular has a track record of using this very technique in their operations.
Scope of the data exposure
Aside from confirming the breach, the company hasn’t revealed any other information about the data theft, nor has it responded to requests from BleepingComputer.
However, an analysis of the leaked data by Have I Been Pwned revealed insights into the scope of the data breach. According to its report, “the data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders, and data relating to status within the loyalty program.”
Customers’ geographic locations and email addresses were part of the stolen data.
Advertisement
Why Carnival may have been targeted
Based on past data breaches claimed by ShinyHunters, one can infer that it targets very large corporations. But Carnival’s case appears to be unique. The company has already experienced a couple of data breaches.
In 2020, the company disclosed three separate cyberattacks — one in March, another in August, and a third in December. Also, in June 2021, compromised employee email accounts were used to access and steal customer, employee, and crew information.
Carnival may not sit within industries traditionally viewed as cyber crown jewels, such as finance, healthcare, defense, or legal services. However, it still manages something threat actors consistently covet: large volumes of identity-rich customer data.
BleepingComputer says it operates nine of the world’s leading cruise line brands, serves millions of customers yearly with over 90 ships, and employs over 160,000 people.
Where most see a thriving company, threat actors see a lucrative target. For attackers, millions of customer records tied to travel, personal information, accounts, and internal business systems can carry lasting value for fraud, phishing, or follow-up attacks.
What affected customers should do now
Carnival has begun reaching out to the nearly 6 million affected customers, and, per its filings with Maine’s Attorney General’s Office, they are likely to receive identity protection services.
If you have received a “Notice of Cybersecurity Event,” you should enroll in the provided protection as soon as you can, and remain vigilant for suspicious requests.
Also read: A 7-Eleven data breach exposed franchise applicant data, with reports linking the incident to ShinyHunters and Salesforce records.
About Author
