- Carnival confirmed a supply chain breach affecting its Holland America Line loyalty program, with millions of customer records exposed
- ShinyHunters claimed responsibility and leaked 8.7 million records that included personal data and millions of unique email addresses.
- Carnival acknowledges the incident and notifies authorities, but downplays the scope and describes it as a single-account phishing compromise.
Carnival Corporation has confirmed that it suffered a supply chain attack that resulted in the loss of sensitive data belonging to millions of customers.
As the world’s largest cruise company, Carnival operates multiple brands that operate passenger cruises and offer leisure travel options. One of its subsidiaries is Holland America Line, a premium cruise line that operates mid-sized ships and has a loyalty program called Mariner Society.
The infamous ShinyHunters collective added Holland America Line to its data breach website, claiming to have taken 8.7 million records, including names, dates of birth, genders and membership status details.
Article continues below.
Confirming non-compliance
The hackers apparently leaked the data because Holland America Line never bothered to discuss paying a ransom:
“The company was unable to reach an agreement with us despite our incredible patience,” the group reportedly said. “They don’t care.”
In those 8.7 million records, there were at least 7.5 million unique email addresses, a database breach. Have I been fooled? noted.
In a statement given to Cruise HiveCarnival said it “acted quickly” to stop the attack, as soon as it was detected, and ensured the intruders remained outside, before also notifying police.
“Privacy and data protection are extremely important to Carnival Corporation and we are working closely with trusted global security experts to be thoughtful and deliberate in our review of the data involved, recognizing that anonymous reports circulating online are not always accurate,” a spokesperson said.
“If we determine that personal information was affected, we will follow all disclosure requirements and communicate directly with affected individuals.”
The company allegedly severely downplayed the significance of the incident, telling Have I Been Pwned? that the breach involved a phishing trail against a single user account.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
