The California Office of the Attorney General disclosed a data breach at **Royal Caribbean Cruises Ltd.** between **February 6 and February 18, 2021**, where unauthorized actors gained access to employees’ email accounts. The compromised data included highly sensitive personal information such as **names, contact details, dates of birth, gender, nationality, passport numbers, state driver’s license numbers**, and **tokenized or partial payment card information**. The breach was formally reported on **June 23, 2021**, months after the initial intrusion. The incident highlights a significant exposure of **internal employee data**, raising concerns over identity theft, financial fraud, and potential misuse of government-issued identifiers. While the breach did not directly involve customer records, the nature of the accessed data—particularly passport and driver’s license details—poses long-term risks for affected employees, including phishing attacks, credential stuffing, or targeted scams. The delayed detection and reporting further exacerbate the severity, as the window for exploitation remained open for an extended period. As a global cruise operator handling vast volumes of sensitive data, the breach underscores vulnerabilities in **email security protocols** and third-party risk management. The exposure of partial payment card data, though tokenized, adds a financial dimension to the reputational and operational fallout. Regulatory scrutiny and potential legal repercussions may follow, given the scope of personally identifiable information (PII) involved.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-542141
TPRM report: https://www.rankiteo.com/company/royal-caribbean-group
"id": "roy1011090725",
"linkid": "royal-caribbean-group",
"type": "Breach",
"date": "2/2021",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Travel & Hospitality (Cruise Line)',
'location': 'Miami, Florida, USA',
'name': 'Royal Caribbean Cruises Ltd.',
'type': 'Corporation'}],
'attack_vector': 'Unauthorized Access (Email Account Compromise)',
'data_breach': {'data_exfiltration': 'Likely (unauthorized access to email '
'accounts)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Government-Issued '
'Identification',
'Payment Card Information '
'(Partial/Tokenized)']},
'date_publicly_disclosed': '2021-06-23',
'description': 'The California Office of the Attorney General reported that '
'Royal Caribbean Cruises Ltd. experienced a data breach '
'involving unauthorized access to employees’ email accounts '
'between February 6 and February 18, 2021. Personal data '
'potentially accessed includes names, contact information, '
'date of birth, gender, nationality, passport numbers, state '
'driver’s license numbers, and tokenized or partial payment '
'card information.',
'impact': {'data_compromised': ['Names',
'Contact Information',
'Date of Birth',
'Gender',
'Nationality',
'Passport Numbers',
'State Driver’s License Numbers',
'Tokenized or Partial Payment Card '
'Information'],
'identity_theft_risk': 'High (PII and government-issued IDs '
'exposed)',
'payment_information_risk': 'Moderate (Tokenized/partial payment '
'card data exposed)',
'systems_affected': ['Employee Email Accounts']},
'initial_access_broker': {'entry_point': 'Employee Email Accounts'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['California Consumer '
'Privacy Act (CCPA)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Attorney General report'},
'title': 'Royal Caribbean Cruises Ltd. Data Breach (2021)',
'type': 'Data Breach'}