North American Cybersecurity Incident Notice

Hurtigruten values our guests and understands the importance of protecting personal information.

Last edited: 3/1/2021 2:15 PM

On December 14, 2020, we learned that an unauthorized actor encrypted the computer systems relating to two of our ships (the MS Fram and MS Midnatsol).

Immediately upon learning of this incident, we disabled the affected computer systems, took down their internet connection to prevent any further intrusion, and launched a forensic investigation to determine the nature and scope of the incident. ​ ​

Based on our investigation, the personal information that might have been affected by this incident consisted of affected customers’ - names, dates of birth, passport numbers and passport expiration dates. Affected customers’ email addresses, mailing addresses, and/or phone numbers might also have been affected by this incident.

Credit and debit card information, social security numbers, driver’s license numbers, and government-issued identification card numbers were not affected by this incident.​

Additionally, if affected customers were treated by a medical provider during their stay on the MS Fram or the MS Midnatsol, certain information collected by that medical provider may have been affected by this incident, such as the medical provider’s notes about the affected customer’s visit. ​


More Information

If you have questions or require further assistance, please fill out the form below:

Frequently asked questions

On December 14, 2020, we learned that an unauthorized actor gained remote access to our network and encrypted parts of our computer systems. At that time, however, we were unable to determine which guests may have been affected, if any, and what information might have been accessed.

We immediately disabled affected computer systems, took down their internet connection to prevent any further intrusion and launched a forensic investigation to determine the nature and scope of the incident. Our investigations now indicate that personal data for a limited number of guests having booked expedition voyages with two ships, MS Fram and MS Midnatsol, in a certain time period have been affected by the incident.

For MS Fram the relevant time period is from 2014 to 2020. For MS Midnatsol the relevant time period is from 2016 to 2020. On February 18 2021, the unauthorized actor placed some of the above information on a difficult to access part of the internet.

We understand that Hurtigruten was one of many companies that was a victim of this type of intrusion.

Yes, if you have received a notification letter we have unfortunately identified you as one of our guests that has been affected by this incident.

We have notified all guests affected by the incident directly to the extent we have contact information to such guests. As we do not have contact information to all affected guests, this notice is placed on our web page a an attempt to reach the guests to whom we do not have contact information.

The information involved varies between the affected guests.

The information involving yourselves is described in the letter which you have received. Hurtigruten does not store credit or debit card information.

Please refer to the letter on the web page for more information on the personal information involved.

No, credit and debit card information was not available for attackers to access.

We immediately took steps to contain the issue and commenced an investigation to determine the data and individuals that may have been affected. We reported this matter to Norwegian law enforcement and the Norwegian Data Protection Authority (since Hurtigruten is based in Norway) and the Federal Bureau of Investigation. We also notified other applicable privacy regulatory authorities.

Over the past years we have made significant investments in data privacy and cyber security. Since this incident, we have further strengthened these efforts and our internal experts are working closely with third-party cybersecurity experts to further enhance the security of our systems and reduce the risk of a similar event happening in the future.

We do not have any indication of actual harm to affected individuals as a result of this incident, but we still recommend you to take the steps described in the notification letter. We regret any concern this incident may have caused.