We have been informed that Cruiseplanners.com has suffered a major data breach in which numerous amounts of personal and personally identifiable information has been stolen from the Cruiseplanners.com eREZ system, including credit card information. If you are a victim of this security breach, contact the data privacy attorneys at Revision Legal today.
The Cruiseplanners.com breach exposed customer data stored in the eREZ reservation system — a platform used by independent travel agents to manage bookings, customer profiles, and payment information. The compromised data reportedly includes names, addresses, email addresses, phone numbers, and credit card information. When a reservation system is breached, the scope of exposed data is often broader than initially reported because these systems aggregate customer information from multiple transactions over extended periods.
If you booked travel through a Cruiseplanners agent, you should assume your personal information and payment data may have been compromised. That assumption should drive immediate action, not a wait-and-see approach.
Contact your credit card company and request a new card number if you used a credit or debit card with a Cruiseplanners agent. Do not wait for fraudulent charges to appear. Many card issuers will expedite replacement cards when you report a potential data breach. Under the Fair Credit Billing Act (15 U.S.C. § 1666), you have the right to dispute unauthorized charges, but your rights are strongest when you act quickly.
Contact one of the three major credit reporting bureaus — Equifax, Experian, or TransUnion — and place an initial fraud alert on your credit file. That bureau is required to notify the other two. A fraud alert is free and requires creditors to take extra steps to verify your identity before opening new accounts. A credit freeze, also free under federal law since 2018, goes further by restricting access to your credit report entirely, making it far harder for identity thieves to open new accounts in your name.
Companies responsible for data breaches often offer complimentary credit monitoring to affected individuals. If Cruiseplanners or its affiliates offer such a service, enroll in it. However, do not rely on it as your only protection. Credit monitoring alerts you after suspicious activity occurs — it does not prevent it.
If you had an account with Cruiseplanners.com or any affiliated portal, change your password immediately. If you used the same password on other websites — a practice that security professionals strongly advise against — change those passwords as well. Use a password manager to generate and store unique, complex passwords for each account.
You can report identity theft and data breach victimization at IdentityTheft.gov, which is operated by the Federal Trade Commission. The FTC will generate a personalized recovery plan based on your specific situation. You may also consider filing a complaint directly with the FTC at FTC.gov/complaint.
Companies that collect and store consumer data have legal obligations to protect it. The FTC Act, Section 5, prohibits unfair or deceptive acts or practices in commerce, which the FTC has interpreted to include inadequate data security measures. The FTC has brought enforcement actions against numerous companies for failing to implement reasonable security practices — actions that resulted in fines, mandatory security audits, and consent decrees lasting up to 20 years.
Many states have enacted their own data breach notification laws that impose specific requirements on how and when companies must notify affected consumers. Under most state statutes, companies must notify affected individuals within a specified window — often 30 to 90 days — after discovering a breach. Failure to provide timely notification can expose a company to significant regulatory penalties and civil liability.
If you suffered actual financial harm from unauthorized use of your credit card or other fraudulent activity traceable to the breach, you may have grounds for a civil claim against the company responsible. Courts have generally required plaintiffs in data breach cases to demonstrate concrete injury — not just the risk of future harm — but ongoing developments in case law are expanding what counts as cognizable injury.
Large-scale data breaches often lead to class action litigation. When thousands of consumers suffer similar harms from a company’s failure to protect their data, class treatment allows claims that would be economically impractical to pursue individually to be aggregated into a single lawsuit. Plaintiffs in data breach class actions typically assert claims for negligence, breach of contract, violation of state consumer protection statutes, and violations of federal privacy laws such as the Electronic Communications Privacy Act.
Settlements in data breach class actions have resulted in meaningful recoveries for consumers, including cash payments, extended credit monitoring, and improvements to the defendant company’s data security practices. Staying informed about any class action litigation filed in connection with the Cruiseplanners.com breach is worthwhile.
For businesses that collect and store customer payment data, the Cruiseplanners.com breach is a reminder of the severe consequences of inadequate data security. The cost of a breach — regulatory penalties, litigation, customer notification, credit monitoring services, and reputational damage — almost invariably exceeds the cost of implementing strong security practices in advance.
Businesses handling payment card data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS), a set of technical and operational requirements designed to protect cardholder data. PCI DSS compliance is not optional — it is a contractual requirement imposed by the card networks as a condition of accepting card payments. Non-compliance can result in fines, increased transaction fees, and termination of the ability to process card payments.
Beyond PCI DSS, businesses should conduct regular security assessments, implement encryption for stored payment data, restrict employee access to sensitive information on a need-to-know basis, and maintain an incident response plan that enables rapid containment and notification if a breach occurs.
If you are a victim of the Cruiseplanners.com data breach and have suffered financial harm or are concerned about your exposure, the data privacy attorneys at Revision Legal can help you understand your rights and evaluate your legal options. We regularly represent both individuals and businesses in data privacy matters, including breach notification compliance, FTC enforcement defense, and consumer litigation. Contact us today for a consultation.
Data breaches of reservation systems like the Cruiseplanners.com eREZ platform occur for predictable reasons: inadequate encryption of stored payment data, insufficiently restricted access controls, failure to apply security patches, and lack of monitoring for unusual access patterns. Companies that handle payment card data in reservation systems have specific, well-defined security obligations under the Payment Card Industry Data Security Standard (PCI DSS) that address each of these vulnerabilities directly.
Travel agencies and reservation platforms should ensure that all stored payment card data is encrypted using industry-standard algorithms, that access to cardholder data is restricted to personnel with a genuine need for that access, that systems are regularly scanned for vulnerabilities and patched promptly, and that access logs are maintained and reviewed for anomalous activity. Annual PCI DSS compliance assessments by a Qualified Security Assessor (QSA) are required for merchants and service providers that handle significant volumes of card transactions and provide the external validation that data security practices meet the required standard.
For consumers, the lesson of the Cruiseplanners.com breach — and of every large-scale payment data breach — is that you cannot control how the businesses you patronize protect your data. What you can control is how you respond when a breach occurs. Acting quickly, monitoring your accounts closely, and understanding your legal rights are the tools available to consumers when the companies they trust fail to protect their information. If you need guidance navigating the aftermath of a data breach, Revision Legal’s data privacy attorneys are here to help.
California’s revised CCPA regulations offer some compliance clarity but leave significant questions unanswered. Here’s what businesses need to act on now.
Read more about Revised CCPA Regulations: Guidance and Uncertainty
Revenge porn involves the non-consensual distribution of intimate images to harm a victim. Revision Legal’s internet attorneys explain the legal definition and remedies for revenge porn victims.
Read more about What is Revenge Porn? Legal Definition and Remedies
Montana’s data breach notification law requires businesses to notify residents when their personal information is compromised. Here’s what the law requires and who must comply.
Read more about Montana Data Breach Notification Law Explained