Australians are among nearly 6 million Carnival cruise passengers whose personal data was stolen in a breach the company has confirmed was carried out by a notorious cybercrime group.
Carnival Corporation, the world’s largest cruise operator and parent of P&O Australia, began notifying affected customers on May 27 after detecting unauthorised access on April 14. The breach stemmed from a social engineering attack on a single employee account. Such attacks use psychological manipulation to trick users into making security mistakes.
Stolen data included names, addresses, dates of birth, phone numbers and government-issued identification such as passport and driver’s licence numbers. The extortion group ShinyHunters claimed responsibility and leaked the data online after ransom talks broke down.
Data governance expert Sam Spencer said Carnival had shown “a continued cavalier attitude to data security” despite millions of dollars in fines in recent years.
“We know Australians were impacted, but we don’t know how many Australians were impacted, and that’s the problem,” he said. “Australians shouldn’t have to follow media announcements to know when data breaches happen, and the Australian government needs to do more.”
Carnival was contacted for further comment. While American customers were offered two years of free credit monitoring, Australian passengers were not.
