Letters sent on Breach of Info on HAL Sailings

[idiebabe]

Letters were sent out to some Passengers who sailed on Nieuw Statendam, Oosterdam and Zuiderdam Carib Sailings from Mid-Nov 2018 thru Mid-January.  These Sailings were  impacted by a Breach of Info of our Name, Address, DOB, Passport # as a result of HAL giving the entire Roster of passenger’s info to a Company named BAGS who handle the Luggage Direct program.  BAGS had their system hacked.  It does not matter if you used this service or not.  Many on the List of those impacted did not sign up for Luggage Direct.  Letters were sent out on May 30th to passengers after BAGS submitted a Report to HAL saying those Passengers were affected.  Some posted on another site yesterday that they just received a Letter within the last two days.  It must be coming to light that more have had their Info compromised since the Letter went out on May 30th.  We were on the January 6th NS Sailing and I was told I was not impacted but the Gal I spoke with in the Privacy Dept. via emails was unprofessional and did not answer my questions so not totally confident with her response especially since more people have received Letters in the last two days.    Very disturbing that HAL would give the entire Ship’s Roster to a 3rd Party regardless if someone is using the Service or not!  You can call 1-800-445-3719 which is a Help Line to find out if you are on the List given to HAL by BAGS of those that up to this point they know had their Info compromised.

[*Miss G*]

Wow.  So sorry to hear this.  I also find it disturbing they did that.  My husband and I were victims of the US Department of Justice information hack in 2016 so I know how you are feeling.  ☹️

Edited August 7, 2019 by *Miss G*

[Krazy Kruizers]

Sorry to hear this.  Entire lists of all passengers whether they used the service or not should nevver have been given out.

 

What a mess for people.

[idiebabe]

Thank you Miss G and KK!  So agree that the entire lists of all passengers should not be given out especially when only a small percentage used this Service.  Sad, too, that many who received a Letter that their Info was stolen did not sign up for this Service.  IMHO, HAL needs to change this Policy of sharing all Passenger Info with 3rd Party Vendors as in the case of Luggage Direct.  It makes me wonder how many other Sailings were impacted that HAL is not aware of (yet)!

[vinonme2]

Very, very disturbing situation.  How can HAL be so cavalier about giving out passenger personal information?

What are you supposed to do, what action can you do to prevent that information being used by the hacker?

 

Please keep us updated on this.

 

Gloria

[*Miss G*]

Did they offer you a free credit monitoring service at least?

[iancal]

Not a big issue. Passport number is meaningless.  Anyone can get names/addresses from a number of easily available pubic documents including phone directories-on line or otherwise.  As long as no banking or SS numbers are given out there should be no issue.

 

This happens more than one would expect.  Especially in the retail environment.

[avian777]

1 hour ago, iancal said:

Not a big issue. Passport number is meaningless.  Anyone can get names/addresses from a number of easily available pubic documents including phone directories-on line or otherwise.  As long as no banking or SS numbers are given out there should be no issue.

 

This happens more than one would expect.  Especially in the retail environment.

👍👍👍  Thank you for your very insightful Post.

[idiebabe]

2 hours ago, *Miss G* said:

Did they offer you a free credit monitoring service at least?

 

No and was pretty much told by the Privacy Dept. for Carnival Corp. to consider ourselves lucky that our names aren't on the List supplied by BAGS.  We have a Credit Monitoring Service because we own a business but wanted to share what happened to alert others on these Sailings of the situation. 

[idiebabe]

1 hour ago, iancal said:

Not a big issue. Passport number is meaningless.  Anyone can get names/addresses from a number of easily available pubic documents including phone directories-on line or otherwise.  As long as no banking or SS numbers are given out there should be no issue.

 

This happens more than one would expect.  Especially in the retail environment.

 

Not a big issue for you because you weren't impacted!  I don't think the couple on the NS Sailing that walked off with their bags and found out their info was stolen feels the same way and is now waiting for a course of action!

 

Hacking is done with Criminal intent.  All of us can be hacked by someone searching the Net for this info, etc. but this Company was targeted knowing they would have all this information on the Passengers.   The odds of being singled out by a search on the Net is not the same as having your name on a list that was stolen by a group of Hackers! 

 

 

[*Miss G*]

If they were given access to the passenger information, wouldn’t that include the credit card # on file?  That’s how Luggage Direct is paid.... from your shipboard account.

[avian777]

58 minutes ago, *Miss G* said:

If they were given access to the passenger information, wouldn’t that include the credit card # on file?  That’s how Luggage Direct is paid.... from your shipboard account.

 

Rhetorical question, right?

[iancal]

I would think that if your banking/credit card data, or SS data was accessed HAL would let you know very specifically that it was.  

 

 Cannot imagine why the banking/credit card data would be attached to luggage direct.  Why?  HAL collects the money, ie they charge you. Then they subcontract out to BAGS.  The last thing HAL wants if for you too see what they pay BAGS, hence they would never let BAGS bill you.  No different than any other third party subK like an excursion.  Passport # makes sense.  It is the least risky method of identification without sharing banking/credit/SS data.  

 

I would not be concerned nor would I be jumping up and down asking HAL to provide gratis credit checking services.  

[cruisebie]

I received one of these letters dated July 19 (but just received 2 days ago). The time frame for the breach must have expanded because I didn't sail between mid November 2018 and  mid January.  I cruised on the Veendam on the Atlantic Coast route from Montreal to FLL in October.  So, different region, earlier time frame. 

 

The letter did specify that DL numbers, phone numbers, email and physical addresses, credit card or other financial information were not impacted.

 

I can't imagine why HAL would share information on passengers who didn't utilize the service. How many other 3rd party vendors are they sharing our information with?  I also have to wonder why BAGS would retain that information in their database once the cruise was over. What use could it possibly be to them?  The letter doesn't make clear when the breach occurred, but it was reported to HAL on May 30, which would mean, at the least it had been stored for several months.

 

8 hours ago, *Miss G* said:

Did they offer you a free credit monitoring service at least?

 

Lol, no but they did tell us how to get a free credit report.

 

 

 

[iancal]

What next?   I suppose some people will use any excuse to pry a  future cruise credit or some such compensation even if they have not been negatively impacted from a financial perspective.  Give HAL a break.  A mistake was made.  I suspect both HAL and Bags will change their data storage and security procedures as a result of this.

 

Think about it.  There are some organizations, for profit and not for profit,   who actively sell  or trade customer lists to third party organizations. 

Edited August 8, 2019 by iancal

[cruisebie]

No future cruise credit wanted, needed or requested on my part.  

 

I'm not sure that HAL or BAGS deserve a break in this situation. As a customer I should have a right to expect that information I share with them is secure. And in the case of HAL, not unnecessarily shared with a 3rd party vendor I am not even using.  I do hope that HAL will review it's policies and make changes to avoid this type of exposure for its customers.

 

Yes, I'm aware that many organizations make an extra buck or two by selling customer lists to other parties.  A shoddy practice in my book, but not the same as a data breach.  Those organizations are not giving my DL #, passport #, and financial information to a 3rd party.

 

 

[iancal]

My understanding was no financial info was given.  That is the crux.  Names and passport numbers not an issue.  Nor is D/L

 

This is no where near the seriousness of the Capital One breach that is in the news and that may well include me.  It involves names tied to banking/credit card information, and SS numbers.  That is serious.  A passport number...not so much.

 

 

Edited August 8, 2019 by iancal

[cruisebie]

In the letter that I received HAL didn't say that they didn't give this information, only that it was not impacted by the breach. That leaves it open to interpretation, but you would think if they had not shared it they would have been interested in very clearly stating that.  I'm really more concerned about the practice of unnecessarily sharing information than the fact that my passport number was hacked. Hopefully this will be a wake up call for HAL & they will implement some changes.

 

I'm sorry to hear you maybe caught up in the Capital One breach.  That is a very serious concern and I hope your data is not misused.  There are so many ways that our information can be compromised in our increasingly cashless society.  

[Tampa Girl]

13 hours ago, cruisebie said:

I received one of these letters dated July 19 (but just received 2 days ago). The time frame for the breach must have expanded because I didn't sail between mid November 2018 and  mid January.  I cruised on the Veendam on the Atlantic Coast route from Montreal to FLL in October.  So, different region, earlier time frame. 

 

The letter did specify that DL numbers, phone numbers, email and physical addresses, credit card or other financial information were not impacted.

 

I can't imagine why HAL would share information on passengers who didn't utilize the service. How many other 3rd party vendors are they sharing our information with?  I also have to wonder why BAGS would retain that information in their database once the cruise was over. What use could it possibly be to them?  The letter doesn't make clear when the breach occurred, but it was reported to HAL on May 30, which would mean, at the least it had been stored for several months.

 

 

Lol, no but they did tell us how to get a free credit report.

 

 

 

 

Since there were no DL numbers, phone numbers, email and physical addresses, credit card or other financial info, I fail to see why the furor.  As has been pointed out, we have no expectation of privacy even as to phone numbers, names or physical addresses even had they been used.  Passport numbers?  The former can be obtained via Google, and what is anyone going to do with a passport number?  Someone could try use it if they looked similar to the picture, I suppose.  From doing roll calls on various cruises, I am always amused by people who refuse to give their last names, towns and sometimes states of residence.  Particularly when they are handing over their credit cards - and, worse, debit cards - at every port.  We need to be a little more realistic and a little less paranoid.

[iancal]

We do not light our hair on fire when these things occur.  But, like others we do take precautions.  We never use our debit cards.  We shred any hard copy paper that has banking info, credit info, our SS numbers, etc.  As much as possible of our financial lives has been moved away from hard copy and on to email.  Partly because it is safer.  Especially now that the area we moved to has a public mail box vs delivery to our door.  When we travel we are very careful about when we access our accounts to check on activity.

 

After eight years of frequent extended travel we feel fortunate.  Our credit cards have only been breached three times-always right here at home.  The good news is that it was caught either by us or the financial institution with a day or so.

Edited August 8, 2019 by iancal

[*Miss G*]

1 hour ago, Tampa Girl said:

I am always amused by people who refuse to give their last names, towns and sometimes states of residence.

 

It’s never a good idea to report on the internet that you are not going to be home during a specific period of time.

[kazu]

3 hours ago, Tampa Girl said:

From doing roll calls on various cruises, I am always amused by people who refuse to give their last names, towns and sometimes states of residence. 

 

Seriously? You’re amused?   I’m on my roll calls and do a number of Meet and Greets.  I don’t encourage anyone ever to post personal info like last names, room numbers, etc on the roll call.

 

Anyone can see it and it’s often not hard to drill down to figure out who the person is if they do.  

 

I simply ask people to email me in confidence for any of my private tours and meet and greet invites.  No need for the ‘whole world to know they are going to be away’.

 

The internet is not as anonymous as some like to think.

 

JMHO though.

[Tampa Girl]

34 minutes ago, kazu said:

 

Seriously? You’re amused?   I’m on my roll calls and do a number of Meet and Greets.  I don’t encourage anyone ever to post personal info like last names, room numbers, etc on the roll call.

 

Anyone can see it and it’s often not hard to drill down to figure out who the person is if they do.  

 

I simply ask people to email me in confidence for any of my private tours and meet and greet invites.  No need for the ‘whole world to know they are going to be away’.

 

The internet is not as anonymous as some like to think.

 

JMHO though.

 

I don't ask for their last names on the internet.  I ask for it in order to place it on a confidential M&G list which is not published online.  I do appreciate that people don't want to identify themselves and their specific location on the internet.  However, this reluctance on the part of many extends to their interaction with other cruises while on board.  And that I do not understand.  I don't know whether it is  fear of identify theft or fear of identification.  Not sure.

[idiebabe]

20 hours ago, cruisebie said:

No future cruise credit wanted, needed or requested on my part.  

 

I'm not sure that HAL or BAGS deserve a break in this situation. As a customer I should have a right to expect that information I share with them is secure. And in the case of HAL, not unnecessarily shared with a 3rd party vendor I am not even using.  I do hope that HAL will review it's policies and make changes to avoid this type of exposure for its customers.

 

 

 

I'm very sorry that you received the Letter.  We were initially told it was five Carib Sailings and three Ships (NS, Oostie and Zui) that were affected and then it became six Sailings and then seven Sailings and now Veendam (and Veendam earlier than the initial Time Frame).    Some who were on my 1/6 NS Sailing that initially did not get the May 30th Letter just received the Letter yesterday so, yes, it is definitely expanding.

 

The one Gal on my Sailing who's Canadian said she was told in the Letter to protect yourself and the Letter gave ways including notifying the RCMP Passport Office, Equifax and TransUnion as well as getting a Credit Monitoring System.  What a mess and she also did not sign up for Luggage Direct!

 

I also hope that HAL will review it's policies and make changes especially when they share Ship's Rosters with a 3rd Party when only a small percentage sign up for a Service with that 3rd Party!  

 

 

 

 

[2inSETexas]

For the posters who seem to think this is not a big deal, it IS a big deal, and a violation of the law in the EU.  I worked in this field for several years before retirement, and still keep my certification active.  

 

Passport #s, even in the USA, are considered Personally Identifiable Information (also called Sensitive Personal Information in some jurisdictions) as it is a government issued identity #. Passport numbers have been stolen for criminal activity.

 

We were not impacted by this breach of privacy, but there IS an expectation of privacy for much personal information, and laws to back up that expectation, even in the USA.  For those with a cavalier attitude about their own or others’ personal data, read up on Data Privacy laws.