Carnival (CCL 12.44%) just can't catch a break.
Last month, the company's Princess Cruises subsidiary became the poster child for coronavirus when 10 passengers and crew aboard its Diamond Princess cruise liner tested positive for COVID-19. The situation escalated rather rapidly from there.
Now, adding insult to injury, Princess Cruises and the company's Holland America Line announced this afternoon that last May, they "identified a series of deceptive emails sent to employees resulting in unauthorized third-party access to some employee email accounts."
In short, they were hacked.
The subsidiaries each said they "acted quickly to shut down the attack and prevent further unauthorized access" and then "retained a major cybersecurity firm to investigate the matter while reinforcing security and privacy protocols to further protect systems and information."
What these experts discovered, however, was not reassuring. The hackers apparently gained access to "email accounts containing employee and guest personal information, including names, Social Security numbers, government identification numbers, such as passport numbers, national identity card numbers, credit card and financial account information, and health-related information."
So both personally identifiable information and financial information and health information all appear to have been breached.
The good news is that so far, the company's cybersleuths haven't discovered evidence that the hacked data has been misused. Just to be safe, though, Carnival will be hooking up affected customers with both credit monitoring services and identity protection services free of charge. It's not known how much these services will cost Carnival, but investors should probably anticipate a charge to earnings to cover the expense in the next company earnings report.
Clarification: This report was updated on March 3, 2020, to clarify which subsidiaries reported the cyberattack.