On August 15, Carnival detected unauthorized third-party access to portions of the company’s information technology systems.
Information Security at Carnival Corporation acted quickly to shut down the intrusion, restore operations and prevent further unauthorized access. The company also engaged a major cybersecurity firm to investigate the matter and notified law enforcement and appropriate regulators of the event.
While the investigation is ongoing, early indications are that in early August the unauthorized third party gained access to certain personal information relating to some guests, employees and crew for three of the corporation’s brands — Carnival Cruise Line, Holland America Line and Seabourn, as well as casino operations. Working with its cybersecurity consultants, the company took steps to recover its files and has evidence indicating a low likelihood of the data being misused.
The company is working as quickly as possible to identify the guests, employees, crew and other individuals whose personal information may have been impacted.
The company expects to complete this process within the next 30 to 60 days and will then send notifications to potentially affected individuals whose current contact information is available to the company. Along with those individual notices, affected individuals will be offered complimentary credit monitoring, as appropriate.
Meanwhile, the company has posted website notices and established a dedicated call center to answer questions regarding the event. When the investigation is complete, callers may confirm whether or not their information was affected.