Security Experts:

Connect with us

Hi, what are you looking for?



Carnival Corp. Confirms Personal Information Compromised in Ransomware Incident

Leisure travel company Carnival Corporation last week confirmed that personal information pertaining to guests, employees, and crew was compromised in an August 2020 ransomware attack.

Leisure travel company Carnival Corporation last week confirmed that personal information pertaining to guests, employees, and crew was compromised in an August 2020 ransomware attack.

Carnival, which owns 10 global cruise line brands and a tour company, employs more than 120,000 people and has a fleet of 102 ships. Prior to the COVID-19 pandemic, which forced the company to suspend operations, Carnival served more than 11 million guests per year.

In mid-August, the company announced that it detected a ransomware attack that resulted not only in some of its systems being encrypted, but also in the unauthorized download of some files.

In an 8-K form filed at the time with the U.S. Securities and Exchange Commission to announce the security incident, the company said the attack affected the technology systems for a cruise line brand, but did not mention which. An investigation was launched and law enforcement was alerted.

Last week, Carnival filed a 10-Q form with the SEC, confirming that certain personal data was compromised. However, it did not reveal the number of affected people or what type of information was accessed.

“On August 15, 2020, we detected a ransomware attack and unauthorized access to our information technology systems,” the filing reads. “While the investigation is ongoing, early indications are that the unauthorized third-party gained access to certain personal information relating to some guests, employees and crew for some of our operations.”

In the filing, Carnival also notes that it is not aware of the compromised data being misused.

“There is currently no indication of any misuse of this information. While at this time we do not believe that this information will be misused going forward or that this incident will have a material adverse effect on our business, operations or financial results, no assurances can be given and further we may be subject to future attacks or incidents that could have such a material adverse effect,” the company also said.

In March 2020, the cruise operator revealed a data breach that was initially identified in May 2019, and which resulted in large amounts of sensitive data pertaining to its guests being accessed by an unauthorized party.

Related: Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Related: U.S. Semiconductor Maker MaxLinear Discloses Ransomware Attack

Related: Cognizant Says Data Was Stolen in April Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.