The world’s largest cruise operator Carnival Corp. & plc today disclosed a new data breach involving the theft of personal data, its third data breach in just over two years.

The latest data breach was detected on March 19. The breach involved the theft of “personal information relating to some guests, employees and crew for Carnival Cruise Line, Holland America Line, Princess Cruises and medical operations.” The stolen data included names, addresses, phone numbers, passport numbers, dates of birth, health information — including COVID-19 testing — and in some cases, Social Security and national identification numbers.

The exact form of the attack is not clear, with the company describing it as “unauthorized third-party access to a limited number of email accounts.” Carnival says it acted quickly to shut down the event to prevent further unauthorized access. The company added that they had engaged a leading cybersecurity firm to investigate the matter and have notified appropriate regulators.

This third time is not a charm for Carnival, which now has suffered data breaches once a year since 2019. In March 2020, Carnival disclosed a breach that involved hackers accessing employee accounts in May 2019. In August, the company revealed that it had been hit by a ransomware attack with customer data stolen.

“The fact that Carnival has been hit three times means some serious questions need to be asked on what this company is doing to protect its sensitive information,” John Bambenek, threat intelligence advisor at information technology services management company Netenrich Inc., told SiliconANGLE. “At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks.”

Tyler Shields, chief marketing officer at cyber asset management government solutions provider JupiterOne Inc., noted that “ransomware breaches plus data compromise tend to go hand in hand.”

“We don’t always see both taken advantage of at the same time, but if the attacker has the ability to encrypt and lock down your data they likely also have the ability to read and capture the data for use elsewhere,” Shields explained. “It’s just if they choose to do it or not. I’m not surprised that all of this has come out over the last year, given the type of breach they appear to have suffered.”

Image: Carnival