Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Carnival Cruise Hit By Data Breach, Warns of Data Misuse Risk

Carnival Cruise Hit By Data Breach, Warns of Data Misuse Risk

Carnival Corporation, the world’s largest cruise ship operator, has disclosed a data breach after attackers gained access to some of its IT systems and the personal, financial, and health information belonging to customers, employees, and crew.

Carnival is included in both S&P 500 and FTSE 100 stock market indices, has more than 150,000 employees in roughly 150 countries, and provides leisure travel to roughly 13 million guests each year.

The company operates nine of the world’s leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours).

Data misuse risk warning

“Unauthorized third-party access to a limited number of email accounts was detected on March 19, 2021,” the cruise line operator giant says in a data breach notification letter recently sent to affected customers.

However, Carnival’s SVP & Chief Communications Officer Roger Frizzell told BleepingComputer after the article was published that the attackers gained access to “limited portions of its information technology systems.”

Also Read: The 5 Phases of Penetration Testing You Should Know

“It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew.

“The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing.”

According to Carnival, the accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information like Social Security or national identification numbers.

The cruise line operator also warned impacted customers, employees, as well as Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations crew that they found evidence indicating “a low likelihood of the data being misused.”

Hit by ransomware twice in one year

BleepingComputer previously reported that a ransomware attack also hit Carnival in August 2020, an incident confirmed by the cruise line operator in an 8-K form filed with the US Securities and Exchange Commission (SEC).

Two months later, Carnival said in a separate SEC filling the ransomware gang behind the August attack gained access to the personal information of both customers and employees during the attack.

Roughly 37,500 individuals were impacted affected by the August ransomware attack, according to info filed by Carnival with the Office of Maine’s Attorney General.

The August ransomware attack came after a data breach disclosed in March 2020 that also led to the exposure of customers’ personal and financial info after threat actors gained access to Carnival employees’ email accounts.

In December 2020, Carnival was hit by a second (previously undisclosed) ransomware attack with “investigation and remediation phases” still ongoing, according to a 10-Q form filed with the SEC in April 2021.

“There is currently no indication of any misuse of information potentially accessed or acquired and we continue to work with regulators to bring these matters and other reportable incidents to conclusion,” Carnival said about the December 2020 ransomware incident.

BleepingComputer reported at the time that the German cruise line and Carnival subsidiary AIDA Cruises was dealing with mysterious “IT restrictions” that led to the cancellation of their New Year’s Eve cruises.

Costa Crociere, another Carnival subsidiary, was also affected by an IT outage around the December ransomware attack that prevented customers from booking trips via the cruise line’s online reservation system.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

AIDA Cruises, Costa Crociere, and Carnival Corporation did not reply to BleepingComputer emails regarding the disruptions and trip cancellations.

Update: Added info provided by Roger Frizzell, Carnival’s SVP & Chief Communications Officer.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us