The cruise line announced on Wednesday that the incident, which happened in April, began when an unauthorized actor used social engineering to deceive an employee and gain access to the company's system.
Carnival claims that although the company quickly blocked the unauthorized activity, the hackers were still able to access passengers' personal information. The cruise line outlined the following as the impacted data it knew to be involved in the incident:
- Name
- Address
- Email address
- Phone number
- Date of birth
- Government-issued identification number (such as driver's licenses and passports)
The cruise line said it had reached out to customers affected by the breach and was providing them with credit monitoring services at no charge. Carnival advised its customers to remain vigilant against identity theft and fraud and to contact local police if they suspect they are victims.
The cruise line said it was reviewing its cybersecurity measures and taking steps to further safeguard its systems.
Carnival did not say how many customers were impacted by the data breach.