Leisure travel company Carnival Corporation last week confirmed that personal information pertaining to guests, employees, and crew was compromised in an August 2020 ransomware attack.
Carnival, which owns 10 global cruise line brands and a tour company, employs more than 120,000 people and has a fleet of 102 ships. Prior to the COVID-19 pandemic, which forced the company to suspend operations, Carnival served more than 11 million guests per year.
In mid-August, the company announced that it detected a ransomware attack that resulted not only in some of its systems being encrypted, but also in the unauthorized download of some files.
In an 8-K form filed at the time with the U.S. Securities and Exchange Commission to announce the security incident, the company said the attack affected the technology systems for a cruise line brand, but did not mention which. An investigation was launched and law enforcement was alerted.
Last week, Carnival filed a 10-Q form with the SEC, confirming that certain personal data was compromised. However, it did not reveal the number of affected people or what type of information was accessed.
“On August 15, 2020, we detected a ransomware attack and unauthorized access to our information technology systems,” the filing reads. “While the investigation is ongoing, early indications are that the unauthorized third-party gained access to certain personal information relating to some guests, employees and crew for some of our operations.”
In the filing, Carnival also notes that it is not aware of the compromised data being misused.
“There is currently no indication of any misuse of this information. While at this time we do not believe that this information will be misused going forward or that this incident will have a material adverse effect on our business, operations or financial results, no assurances can be given and further we may be subject to future attacks or incidents that could have such a material adverse effect,” the company also said.
In March 2020, the cruise operator revealed a data breach that was initially identified in May 2019, and which resulted in large amounts of sensitive data pertaining to its guests being accessed by an unauthorized party.
Related: Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack
Related: U.S. Semiconductor Maker MaxLinear Discloses Ransomware Attack
Related: Cognizant Says Data Was Stolen in April Ransomware Attack