Personal data belonging to guests, employees and crew of three Carnival Corporation brands were compromised in an August cyber attack on the group’s IT systems, the group has confirmed.
The 15 August attack, described then by the group as a "ransomware" event, was disclosed by Carnival Corp two days later, although it declined then to state which brands were affected.
Carnival Corp said the attackers were able to "access and encrypt" a portion of one of its brands’ information systems, adding data files were also downloaded by those responsible.
It subsequently referred itself to the Information Commissioner’s Office (ICO) in the UK, which has powers to fine firms up to 4% of their annual turnover for serious data breaches or cybersecurity incidents.
In an update issued on Tuesday (13 October), the group revealed the attack compromised personal data belonging to guests, employees and crew of Carnival Cruise Line, Holland America Line and Seabourn.
Its casino operations were also compromised, Carnival Corp confirmed.
"Information security at Carnival Corporation acted quickly to shut down the intrusion, restore operations and prevent further unauthorised access," said the group.
"The company also engaged a major cybersecurity firm to investigate the matter and notified law enforcement and appropriate regulators of the event."
The corporation said after working with cybersecurity consultants, it took steps to recover data files and had evidence to suggest there was a "low likelihood of the data being misused".
Carnival Corp said it was working "as quickly as possible" to identify affected individuals, and expects to complete this process within the next 30 to 60 days.
These individuals will be notified and will be offered complimentary credit monitoring. Carnival Corp has also set up a dedicated call centre to handle questions about the situation.
"As part of its ongoing operations, the company is continuing to review security and privacy policies and procedures and implementing changes when needed to enhance information security and privacy controls," Carnival Corp added.