By now, it’s sort of the understatement of the year to note that the coronavirus pandemic has walloped some businesses much harder than others — though, whatever the spectrum that you’re looking at consists of, it’s probably fair to say that cruise ship operators sit on the far end of the long tail where absolutely nobody wants to be right now. The travel industry, in general, is having to work extra hard to lure consumers back to flying the friendly skies, booking hotel rooms, and the like. Cruise ships, meanwhile, occupy another class of worry entirely for some travelers. It was an outbreak on a cruise ship back at the beginning of 2020 that started freaking people out about COVID-19. If you’re stuck on a ship and there’s an outbreak, what are you going to do, exactly?
Bleeping Computer has shared an official data breach letter that Carnival sent out to customers, in which it acknowledges a data breach incident that occurred in March. According to the letter, an unauthorized third party “gained access to certain personal information relating to some of our guests, employees and crew.” The relevant information that was accessed, the letter continues, includes the kinds of data you’d expect to be collected “during the guest experience and travel booking process” as well as through the course of employment or providing services to the company.
That means things like names, addresses, phone numbers, passport numbers, dates of birth and health information. The cherry on top is the inclusion of the following ridiculous sentence that’s worded as awkwardly as humanly possible:
“There is evidence indicating a low likelihood of the data being misused.”
What is that sentence in the data breach letter even trying to say? That there’s only a low likelihood the data will be misused? If so, why did the hackers even bother with this? Or maybe that sentence is saying, instead, that there’s a low likelihood that the data will definitely be used for nefarious purposes — in other words, there’s a small chance that some of the victims caught up in this thing aren’t just screwed, they’re really screwed.
At any rate, Carnival told Bloomberg that it “acted quickly to shut down the event and prevent further unauthorized access” as soon as it learned of the data breach. Nevertheless, as noted earlier, this is but the latest in a string of security incidents to hit Carnival over the past year, including a data breach in March of 2020, and then a pair of ransomware attacks in August and again in December.