IT Security Update

Notification for Remaining Individuals–Guest/Non-Employee

Notice of Data Breach

We are writing to you about an incident affecting our information technology (IT) system. The incident was posted on our Costa website on 19 March 2021. As detailed in our post, we have been working to identify the individuals whose personal information may have been impacted by this event, and we are directly notifying you because your personal information has been found during that process.  

What happened?

Unauthorized third-party access to portions of the Company’s IT systems was detected on 25 December 2020. We acted quickly to shut down the intrusion, restore operations, and prevent further unauthorized access. A major cybersecurity firm was engaged to investigate the matter, and law enforcement and regulators, including the Philippines’ National Privacy Commission, were notified about the event. 

What information was possibly involved?

It appears that in December 2020, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew. The impacted information includes data routinely collected during the guest travel booking process or through the course of employment. That information may include names, addresses, phone numbers, passport numbers, and dates of birth, and in some limited instances, additional personal information, such as Social Security or national identification numbers, health information, or other personal information.

Working with our cybersecurity experts, the Company took steps to recover its files and has evidence that indicates a low likelihood of the data being misused.

What we are doing.

As part of our ongoing security operations, we regularly review our security and privacy policies and procedures and implement changes when needed to enhance our information security and privacy program and controls. 

What You Can Do.

It is always a good idea to remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity.

While we have no reason to suspect that your information is being misused, if you ever suspect that you are the victim of identity theft or fraud, you can contact your local police.

It is also always a good idea to be alert for “phishing” emails or other attempts by someone who acts like they know you, or are a company that you may do business with, and requests sensitive information over email or phone. This might include your password, Social Security or national identification number, or financial account information.

For More Information.

If you have any questions regarding this matter, please contact us via email at

Back to Top