Earlier this week, Carnival Corp. — the parent company of Princess and Holland America cruises — reported that hackers gained unauthorized access to some employee email accounts between April 11 and July 23, 2019. Those accounts contained the personal data of those who traveled and worked on-board the Princess and Holland America ships, exposing a wide range of data, including:
Carnival did not disclose how many passengers and employees were affected by the data breach and did not respond to CNBC Make It's request for comment. But the cruise company did file a data security notice with the California Attorney General, which indicates at least 500 California residents were involved because that is the minimum number of people needed to trigger a mandatory filing.
This is a "particularly nasty breach," says Jim Van Dyke, co-founder and CEO of Breach Clarity, a company that scores consumer risk of identity fraud and financial fraud caused by data breaches. Breach Clarity rated both the Princess and Holland America breaches a 'seven' risk level, which is a score that's rarely seen within the company's one to 10 risk severity scale, which estimates how strongly a data breach could raise the risk of identity fraud.
"Both of these breaches create extraordinary levels of risk," Van Dyke tells CNBC Make It. For all publicly reported U.S. breaches that have occurred since 2018, those affecting over a million victims had an average Breach Clarity score of only 2.15, while those affecting less than a million people had an average Breach Clarity score of 3.38.
"It's important for victims to understand exactly what data was exposed so they can implement a meaningful risk minimization plan," says Eva Velasquez, president and CEO of Identity Theft Resource Center.
Here are a few steps experts recommend taking if you think you may have been affected by the Princess and Holland America data breaches.
Currently, there's no indication that any of the accessed data has been misused, Carnival said in a public statement, but the company is going ahead and offering free credit monitoring and identity protection services "to give those affected peace of mind."
"We take privacy and security of personal information very seriously, and we are offering affected individuals free credit monitoring and identity theft detection services," Carnival said in sample consumer notification letter submitted to the California attorney general.
Carnival is offering affected customers and employees 12 months of credit and CyberScan monitoring that tracks activity on the Internet and dark web through MyIDCare. In addition to monitoring, the service provides a $1,000,000 insurance reimbursement policy and identity theft recovery services.
Those interested in enrolling in MyIDCare have until June 1, 2020 to take advantage of the offer. For questions, Carnival recommends contacting the cruise line at +1 (833) 719-0091 (toll-free U.S.) or +1 (936) 215-6456 (international). You will be transferred to a specialized team handling the data breach.
While Carnival said that not every passenger and employee had every piece of information on the list above accessed, affected consumers should review their credit cards and financial accounts for irregularities.
If you suspect your credit card number has been stolen, report it immediately to your credit card company. They will typically close the account, investigate any reported charges and issue you a new credit card.
Keep in mind that if your credit card number is compromised and used fraudulently, you're typically not on the hook for that money. The Fair Credit Billing Act makes it so consumers are only liable for up to $50 in fraudulent charges. And major credit card companies, including American Express, Discover, Mastercard and Visa offer "zero liability" policies, so you don't have to pay for any fraud. That's why many experts recommend that you use credit cards instead of debit cards.
If you don't spot any immediate issues, set up account activity alerts through your bank and credit card provider, Van Dyke says, and pay particular attention to any foreign, online or large value transactions.
In terms of replacing your identification documents, such as driver's licenses and passports, you'll need to contact state and federal agencies, Velasquez says. "If your state driver's license was exposed, contact your state issuer and follow their instructions regarding how you flag or report this," she says.
If a passport number is exposed, you'll need to contact the State Department. You can request a new passport and number, but there's a fee for renewal you will likely need to pay, which victims need to take into consideration, Velasquez says.
In many data breaches, experts recommend that consumers put a freeze on their credit reports to stop anyone from taking out a credit card or loan in their name.
Van Dyke says credit freezes are an "essential tool" for preventing one of the most costly identity crimes: new financial credit account fraud, which is when fraudsters get a credit card or loan like a mortgage in your name. These crimes typically have an average face value of over $1,000, with high consumer out-of-pocket costs, but nearly every new credit account fraud attempt will be stopped cold if the consumer has frozen their credit.
That said, credit freezes are not a silver bullet against identity theft. A credit freeze doesn't do much for identity theft that is not related to opening up a credit account, says cybersecurity expert Joseph Steinberg. That includes medical identity theft and scams in which criminals set up new bank accounts.
However, in this case, because there was financial information and credit card numbers potentially exposed, it's a good idea to take this extra precautionary step. "While it doesn't protect you from all forms of identity theft, it does stop someone from opening new accounts in your name," Velasquez says. "A credit freeze is a best practice for all consumers, not just those affected by a particular data breach."
If you want to freeze your credit reports and haven't already done so, you need to contact the three major credit bureaus, Equifax, Experian and TransUnion, separately. Keep in mind that you will need to unfreeze your credit if you're applying for any credit products in the future, like a personal loan, credit card or mortgage.
Although Carnival did not specify that information on passengers' email accounts was accessed, it's a good idea to change any passwords associated with your Princess and Holland America bookings, as well as any bank or credit card accounts used to make reservations. You should always be changing your passwords regularly.
Almost half of Americans (47%) use the same passwords over and over again, according to PCI Pal. This can cause problems in a data breach: Only one account may be compromised, but if you've used that same password in several places, you'll need to change all of them. "If you are using the same password on more than one account… that's a very risky practice that makes it easy for ID thieves to steal your data," Velasquez says.
Instead, create easy to remember passphrases for each account you have that are at least 12 characters long. You can also look into using a password manager such as LastPass or Dashlane. These programs will automatically generate unique, secure passwords for all your accounts and remember them for you.
To protect your data year-round, experts recommend that consumers practice common safeguards, such as avoiding clicking on links or opening attachments in emails, especially when you don't know the sender.
Emails are a particularly common way for fraudsters to gain access to your credit card information or identity. Hackers send what's called a phishing email. "Email is the No. 1 way cybercrime of all forms happens. If a bad guy can get you to click on a link in an email, he can do all manner of bad things to your online life," says Dave Baggett, co-founder and CEO of anti-phishing start-up Inky.
Consumers should use two-factor authentication to log into their accounts, especially financial accounts, Van Dyke says. Two-factor authentication generally requires users to not only enter a password, but also confirm their identity by logging onto their phone or entering a code texted or emailed to them.
It can't be stressed enough: The best response is to be vigilant, Steinberg says. There are some pieces of information that don't typically change, such as Social Security numbers and your home address. Because of their static nature, they become more valuable over time, Steinberg says.
If you're concerned with exposure, you may want to consider creating and using different email addresses for non-essential purposes, such as traveling or shopping, Daniel Smith, head of security research at Radware, tells CNBC Make It. The same applies for the phone number you provide. "Isolating your primary information from unnecessary exposure is the key takeaway," he says.
Keep in mind that if you do experience identity theft, you can set up an extended fraud alert on your credit file. When you take this step, you can get two free credit reports a year and the credit bureaus must take your name off marketing lists for prescreened credit offers for five years. The extended alert lasts for seven years.