Carnival Corporation and plc

On August 15, 2020, Carnival Corporation and plc experienced a data breach due to unauthorized third-party access to its IT systems. The incident, reported by the California Office of the Attorney General on February 4, 2021, exposed sensitive personal information of both guests and employees. Compromised data included names, addresses, passport numbers, and Social Security numbers—highly sensitive identifiers that could lead to identity theft, financial fraud, or targeted phishing attacks. The breach underscored vulnerabilities in Carnival’s cybersecurity defenses, raising concerns about the protection of customer and employee data. Given the nature of the stolen information, the incident posed significant risks of long-term reputational damage, regulatory scrutiny, and potential legal liabilities. The exposure of passport and Social Security numbers, in particular, elevated the severity, as such data is often exploited in large-scale fraud schemes or sold on dark web marketplaces. Carnival’s failure to prevent the breach highlighted systemic weaknesses in safeguarding critical personal data against sophisticated cyber threats.

Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-537788

TPRM report: https://www.rankiteo.com/company/carnival-corporation

"id": "car1010090725",
"linkid": "carnival-corporation",
"type": "Breach",
"date": "8/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Travel & Leisure (Cruise Line)',
                        'location': 'Global (HQ: USA/UK)',
                        'name': 'Carnival Corporation and plc',
                        'type': 'Corporation'}],
 'attack_vector': 'Unauthorized third-party access',
 'data_breach': {'data_exfiltration': 'likely',
                 'personally_identifiable_information': ['names',
                                                         'addresses',
                                                         'passport numbers',
                                                         'Social Security '
                                                         'numbers'],
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['personal information', 'PII']},
 'date_detected': '2020-08-15',
 'date_publicly_disclosed': '2021-02-04',
 'description': 'The California Office of the Attorney General reported a data '
                'breach involving Carnival Corporation and plc on February 4, '
                '2021. The breach occurred on August 15, 2020, due to '
                "unauthorized third-party access to the company's information "
                'technology systems, potentially impacting guest and employee '
                'personal information including names, addresses, passport '
                'numbers, and Social Security numbers.',
 'impact': {'data_compromised': ['names',
                                 'addresses',
                                 'passport numbers',
                                 'Social Security numbers'],
            'identity_theft_risk': 'high (PII exposed)',
            'systems_affected': ['information technology systems']},
 'references': [{'date_accessed': '2021-02-04',
                 'source': 'California Office of the Attorney General'}],
 'regulatory_compliance': {'regulations_violated': ['California data breach '
                                                    'notification laws '
                                                    '(potential)'],
                           'regulatory_notifications': ['California Office of '
                                                        'the Attorney '
                                                        'General']},
 'title': 'Carnival Corporation and plc Data Breach (2020)',
 'type': 'Data Breach'}