Carnival hit by data breach — how to tell if you're affected

The Carnival Victory cruise ship sets sail from Grand Cayman island in 2013.
(Image credit: NAN728/Shutterstock)

Carnival, the world's largest cruise-line operator, has had personal information of customers, crew members and other employees stolen in a data breach.

"Names, addresses, phone numbers, passport numbers, dates of birth, health information and in some limited instances additional personal information, such as Social Security or national identification numbers" were stolen, according to a breach-notification letter obtained by Bleeping Computer.

"There is evidence of a low likelihood of the data being misused," the notification letter says. None of that evidence was cited in the letter.

This is at least the fourth time Carnival has had its internal systems hacked. Last year, Carnival was hit by two ransomware attacks and another attack that resulted in a data breach, according to Bleeping Computer.

The U.S.-based Carnival Corporation and its British twin, Carnival PLC, jointly own and operate Carnival Cruise Line, Holland America Line, Princess Cruises, Cunard Line, P&O Cruises, Seabourn Cruise Line, Costa Cruises and  AIDA Cruises, which operate worldwide.

A Carnival spokesman told ABC News that the company detected that its information systems had been penetrated on March 19 and subsequently launched an investigation. 

Carnival did not provide a number for how many persons might have had their personal information stolen in this data breach, but if you do get that notification letter, take it very seriously. 

A full name, current address, date of birth and Social Security number, all of which were revealed in this breach, are all the information a criminal needs to open accounts in your name. 

Carnival breach: What to do now

Carnival is offering 18 months of free identity-theft protection and credit monitoring provided by Cyberscout to all affected individuals. Carnival customers and employees can call (800) 905-0687 on weekday or email for more information. Instructions and an enrollment code are included in the breach notification letter.

Tom's Guide recommends that affected persons take up the company on its offer of an identity-theft-protection subscription, but please read the fine print before you sign up. Accepting the offer may limit your ability to take legal action against the company if your identity is indeed stolen as a result of this breach.

Also, please note that Carnival's Cyberscout offer monitors only one of the Big Three credit-reporting agencies, and lasts for only 18 months. Many other large companies that have customer personal data stolen, such as Volkswagen just last week, offer two years of credit monitoring and identity-theft-protection. Some of those offers monitor all three major credit reporting agencies, not just one. 

For a more thorough explanation of what kind of credit monitoring and identity protection is available to consumers, please visit our page on the best identity-theft-protection services.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.