Data security incident

On December 14, 2020, we learned that an unauthorized actor gained remote access to our network and encrypted parts of our computer systems. At that time, however, we were unable to determine which guests may have been affected, if any, and what information might have been accessed.

We immediately disabled affected computer systems, took down their internet connection to prevent any further intrusion and launched a forensic investigation to determine the nature and scope of the incident. Our investigations now indicate that personal data for a limited number of guests having booked expedition voyages with two ships, MS Fram and MS Midnatsol, in a certain time period have been affected by the incident.

For MS Fram the relevant time period is from 2014 to 2020. For MS Midnatsol the relevant time period is from 2016 to 2020. On February 18 2021, the unauthorized actor placed some of the above information on a difficult to access part of the internet.

We understand that Hurtigruten was one of many companies that was a victim of this type of intrusion.

Yes, if you have received a notification letter we have unfortunately identified you as one of our guests that has been affected by this incident.

We have notified all guests affected by the incident directly to the extent we have contact information to such guests. As we do not have contact information to all affected guests, this notice is placed on our web page a an attempt to reach the guests to whom we do not have contact information.

The information involved varies between the affected guests.

The information involving yourselves is described in the letter which you have received. Hurtigruten does not store credit or debit card information.

Please refer to the letter on the web page for more information on the personal information involved.

No, credit and debit card information was not available for attackers to access.

We immediately took steps to contain the issue and commenced an investigation to determine the data and individuals that may have been affected. We reported this matter to Norwegian law enforcement and the Norwegian Data Protection Authority (since Hurtigruten is based in Norway) and the Federal Bureau of Investigation. We also notified other applicable privacy regulatory authorities.

Over the past years we have made significant investments in data privacy and cyber security. Since this incident, we have further strengthened these efforts and our internal experts are working closely with third-party cybersecurity experts to further enhance the security of our systems and reduce the risk of a similar event happening in the future.

We do not have any indication of actual harm to affected individuals as a result of this incident, but we still recommend you to take the steps described in the notification letter. We regret any concern this incident may have caused.