Carnival Data Breach Exposed 6 Million People

Carnival Data Breach Exposed 6 Million People

Briefly

"Carnival said the incident was identified on April 14, after hackers gained access to an employee's account via social engineering. Using the compromised account, the attackers accessed certain company systems and exfiltrated files containing personal information. "The company has been conducting a thorough and time-consuming analysis of the impacted files to determine what personal information they contained and to whom that information belongs," an incident notice on Carnival's website reads."

"According to the company, the potentially impacted information varies by individual, but generally includes names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers. On Wednesday, Carnival informed the Maine Attorney General's Office that 5,995,277 people were affected and that it was providing them with 24 months of free credit monitoring services."

"While the company has not shared further details on the attack, the incident was claimed last month by the infamous extortion group ShinyHunters. On its leak site, the hacking gang claimed the theft of 8.7 million records from Carnival's systems, and made the data publicly available in late April. According to data breach notification website HaveIBeenPwned, which analyzed the leaked dataset, roughly 7.5 million accounts related to the Mariner Society loyalty program run by Carnival cruise line brand Holland America were likely affected."

"The leaked information included names, email addresses, dates of birth, gender, geographic locations, and loyalty program details. SecurityWeek has emailed Carnival for additional information on the matter and will update this article if the company responds. "From a defensive perspective, companies should treat social engineering resilience"