The personal information of cruise passengers, crew and employees were compromised last year after an unauthorized party gained access to the email accounts of employees working for Princess Cruises and Holland America Line — both divisions of Carnival Corporation & plc.

According to a disclosure notification posted on both cruise lines’ websites [1, 2], as well as a letter filed with the California Attorney General’s office, Carnival in May 2019 became aware of anomalous network activity. “It now appears that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our employees, crew and guests,” says the disclosure, authored by Jennifer Garone, director of data privacy at Carnival.

A press release regarding the incident says that the perpetrator managed to access the email accounts via deceptive phishing emails.

Impacted data varies from person to person, but includes names, Social Security numbers, passport numbers, national identity card numbers, credit card and financial account information and health information. The company does not believe that any of the accessed information has been misused, but it nonetheless is offering free credit monitoring and ID protection services.

Carnival claims the company “acted quickly to shut down the attack and prevent further unauthorized access,” adding that, in response to the breach, it recruited a cybersecurity firm to investigate, and has reinforced and will be reviewing its security and privacy protocols, implementing changes as needed.