Princess Cruises confirmed a data breach on its website 10 months after the supposed cyber attack. According to Tech Crunch, a notice posted on the page was made around early March 2020.
The company’s confirmation comes after it has been embroiled in a massive quarantine following the pandemic’s outbreak. Operations of its cruise lines are suspended until May 2020 of this year after the epidemic’s prevalence on its ships.
Two units of Carnival Corp were affected, including Princess Cruises. Reuters states that the other affected party is Carnival Corp’s Holland America Line.
Based on its notice, Princess Cruises said it became aware of a data breach in May 2019. It allegedly detected unauthorized access to several of its email accounts from April to July 2019. Most of these email accounts held personal information of its crew, employees, and guests.
Some of the personal information compromised in the data breach includes names and addresses. In addition, government identification cards, as well as Social Security numbers, may have also been obtained by hackers. Apart from these, the cyber attacks are reported to have mined passport and driver license numbers.
Tech Crunch states that financial details and health information have also been exposed. Credit card details are also vulnerable.
Despite these massive vulnerabilities, the cruise line maintains that the data is “not specific to each guest.” Moreover, Princess Cruises remains confident that there is no misuse of personal information nor is their evidence of these data being exploited.
To address the incident, the cruise line said it had already contacted the relevant authorities in place. The company has also reviewed its current policies in place and are currently in the works of improving its security system. It has also shut down the attack to prevent hackers from further gaining access to the system.
Following the disclosure of the data breach 10 months after the incident, Princess Cruises has declined to say what urged the company to disclose the leak. In the same way, it is not clear why the company has taken a long time to notify the public about the said breach.
However, Tech Crunch states that businesses who fail to do so may be fined up to 4% or 20 million euros, whichever is higher, of their annual revenues as a violation of the European data protection rules in place.
As of writing, representatives of the cruise ship has yet to respond to requests to comment on the incident.