HOUSTON – Millions of Carnival Cruise passengers — including more than 800,000 Texans, according to the Texas attorney general’s office — may have had their personal information exposed in a recent data breach.
According to a notice posted by Carnival Corporation, the company discovered unauthorized activity involving an employee account on April 14.
Recommended Videos
OUR FIRST REPORT: Carnival data breach may affect thousands of Texans, exposing passport and driver’s license information
The company says a cybercriminal used a social engineering scheme to deceive an employee and gain access to a limited portion of its IT system. Investigators later determined the hacker illegally copied personal information.
The company says the compromised information may include names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, such as driver’s license and passport numbers.
Tim Howard, managing partner of cybersecurity consulting firm Fortify Experts, says the attack highlights a growing trend in cybercrime.
“That particular breach occurred through social engineering,” Howard said. “They acted like they were somebody else, like an administrator who got locked out, and they convinced the individual on the other side to open a door for them to get in.”
Howard says the rise of artificial intelligence is making cyberattacks more sophisticated and easier to carry out.
“We used to have a very small group of hackers that could go after you,” Howard said. “Now, anybody can be a hacker. Anybody can learn how to socially engineer.”
He says AI tools can help criminals create convincing emails, messages and even fake voices.
“They can now duplicate voices. They can even duplicate images,” Howard said.
What should Carnival passengers do?
Howard recommends three immediate steps for anyone concerned their information may have been exposed.
- Turn on multi-factor authentication
Multi-factor authentication, or MFA, requires a second form of verification before someone can access an account.
“You need to have multi-factor authentication turned on almost everywhere that you can turn it on, especially with anything connected to your financial systems,” Howard said.
- Stop reusing passwords
Cybersecurity experts recommend using unique passwords for every account and storing them in a password manager.
- Be cautious of unexpected calls, texts and emails
Howard warns that scammers may use information obtained during the breach to impersonate Carnival or other trusted organizations.
“If you didn’t call them, I would be very suspicious,” Howard said.
Experts say consumers should be especially cautious if someone claims there is an urgent problem and asks for money or sensitive information.
Howard says passengers whose personal information may have been exposed should consider placing fraud alerts or security freezes on their credit reports.
“If passport numbers went out, that’s a really bad thing,” Howard said. “They now have enough information to open up accounts under your name using your credit.”
Consumers can place fraud alerts or freezes through the three major credit bureaus:
- Experian
- Equifax
- TransUnion
According to Carnival, affected U.S. customers are being offered two years of complimentary credit monitoring through TransUnion.
Why are passengers just now learning about the breach?
Carnival says it first identified the unauthorized activity on April 14 and determined on April 22 that personal information had been copied.
The company says investigating exactly what information was accessed and identifying affected individuals took time.
“We understand this process can feel slow,” the company said in its online notice. “Complex incidents like this take time and careful investigation.”
The company says law enforcement has been notified and that it is not aware of any unauthorized activity since the attack was stopped in April.
What Carnival is saying
In its public notice, Carnival says it has strengthened its security and monitoring controls and continues working to improve its cybersecurity protections.
The company also established a dedicated call center for affected customers and is encouraging passengers to closely monitor financial accounts and credit reports for suspicious activity.