Princess, Holland America Report Personal Data Breach


Published Mar 5, 2020 9:16 PM by The Maritime Executive

The Carnival Corporation brands Holland America and Princess reported this week that they were affected by a cybersecurity breach involving the release of personal information in 2019.

In a statement, Holland America and Princess said that they identified suspicious activity on their networks in late May of last year. They brought in cybersecurity forensic experts to find out what happened and what data was affected; according to their analysis, it appears that from April 11 to July 23 an unauthorized third party had access to some employee email accounts containing personal information. 

The potentially compromised emails include data on employees, crew, and guests. The nature of the information varies by affected individual, but it can include the person's name, address, Social Security number, passport number or driver’s license number, credit card number, financial account information and health-related information.

So far, the two cruise lines do not have any evidence of misused personal data affecting any individual. They are working to review and improve their cybersecurity practices. 

Jim Van Dyke, co-founder and CEO of cyber-fraud risk rating startup Breach Clarity, told CNBC that the cyberattack on Holland America and Princess is a "particularly nasty breach" that creates "extraordinary levels of risk." Among other hazards, it could expose those affected to the possibility of fraudulent charges on their existing financial accounts, or the fraudulent creation of a new credit account under the victim's name. 

For now, Carnival advises anyone who may be affected by the breach to practice routine anti-fraud measures:

• Stay alert for “phishing” emails by someone who claims to know you or represent a company you know, then asks for sensitive information;

• Regularly review and monitor account statements and credit history for any signs of unauthorized transactions or activity;

• And report suspected identity theft to law enforcement.