#Privacy: Norwegian Cruise Line hit by data breach

Norwegian Cruise Line has suffered a data breach as the travel industry continues to battle the COVID-19 pandemic. 

On March 13, the threat intelligence team at DynaRisk discovered a database, belonging to the major cruise operator, on the dark web. 

The database contained login credentials, email addresses and clear text passwords used to log in to the Norwegian Cruise Line travel agent portal by agents working for Virgin Holidays, TUI and more. 

According to DynaRisk, 29,969 records were breached. 

Upon verifying the data records, DynaRisk immediately notified Norwegian Cruise Line, however, it wasn’t until five days later that a representative responded to the notification. 

DynaRisk explained that agents are now at high risk of being targeted by cyber attacks. 

“They are now exposed to account takeovers on numerous platforms, sophisticated phishing emails and fraud, which could put further pressure on large travel agents or worse still, put smaller agents out of business,” said a DynaRisk spokesperson. 

Norwegian Cruise Lines told Forbes: “It has recently come to our attention that the agents.ncl.eu website may have been compromised. In an abundance of caution, we are in the process of asking certain travel partners that may have been affected to change their password for the site and any site for which they may have used the same password, and to remain vigilant of any suspicious activity or emails. 

“We believe limited personal information was involved, specifically names of travel agencies and business contact information such as business addresses and email. This appears to be a unique and isolated incident that involved only a regional travel partner portal which houses marketing materials and educational information and did not involve guest data. We are deeply committed to protecting the security and confidentiality of information and regret any concern this matter may have caused.”

Earlier this month, Princess Cruises and Holland America Line announced that it had fallen victim to a cyber attack, whereby a series of deceptive emails were sent to employees, resulting in unauthorised third party access to some employee email accounts. 


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.