British registered cruise liner Princess Cruises confirmed a major data breach dating from April last year. The cruise liner has already been in the news frequently in the last couple of weeks, and is even listed separately in Microsoft’s new COVID-19 tracker, after two of their ships became coronavirus hotspots. Suspicious online activity was detected in May, 2019, after which Princess Cruises engaged cybersecurity experts and initiated an investigation. It is unclear why the cruise liner waited so long to go public about the breach.
Suspicious Activity Identified
“In late May 2019, we identified suspicious activity on our network”, Princess Cruises stated in their notice of data breach. “Upon identifying this potential security issue, we engaged cybersecurity forensic experts and initiated an investigation to determine what happened, what data was affected, and who was impacted.”
Further investigations revealed that cybercriminals gained unauthorized access to multiple employee email accounts. Consequently, they were able to obtain personal information of guests, crew and employees. The data breach dates back to April 11, 2019 but is believed to have continued until July 23, 2019. The data breach also had an impact on Holland America Line, another travel company, owned by the same mother company, Carnival Corporation.
Types of Compromised Data Vary
While the types of data potentially impacted vary for each individual, they can include name, address, Social Security number, passport number, driver’s license number, credit card information, financial account information, and health-related information. “This list is not specific to each guest”, the statement explains. The most likely consequence of this type of data breach for customers is an increase in phishing attacks and possibly identity theft.
At the moment, there is no evidence of misuse affecting individuals. The matter has been reported to law enforcement agencies. Princess Cruises did not make public under which jurisdiction they reported the breach. Under the European GDPR, a company can be fined up to 4% of their annual turnover for violations. The GDPR jurisdiction extends outside the EU if a company deals with EU citizens within an EU state.