Carnival Corporation and plc has referred itself to the Information Commissioner’s Office (ICO) following a cyber attack on its systems at the weekend.
Carnival disclosed the breach on Monday (17 August), describing it as a ransomware attack that happened on Saturday (15 August).
The cruise giant was forced to take its contact centre offline, with it remaining out of action on Monday and Tuesday.
Carnival said the attackers were able to "access and encrypt" part of one of its brands’ information system, adding data files were downloaded.
It also said it expected the attack to have compromised personal data belonging to both guests and employees.
Carnival said it had launched an investigation, notified relevant authorities, and engaged incident response professionals – including "industry-leading" cybersecurity firms.
"Although we believe no other information technology systems of the other company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance other information technology systems of the other company’s brands will not be adversely affected," said Carnival.
An ICO spokesperson said: “Carnival plc has reported a breach to us, and we will be making further enquiries.”
They added: “People have the right to expect that organisations will handle their personal information securely and responsibly.
"When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.
“It is an organisation’s responsibility to fully assess a breach and then judge whether or not they need to report it the ICO. Where possible, this should be done within 72 hours."
The ICO has powers under Europe’s GDPR legislation to fine firms up to 4% of their annual turnover for serious data breaches or cybersecurity incidents.
Carnival’s turnover for its last full financial year (the year to 30 November 2019) was $20.8 billion (£15.8 billion), so a 4% fine could run to $830 million (£630 million)
The ICO fined British Airways £183.39 million for a data breach, and Marriott International £99.2 million.