Carnival Corporation, the world's largest operator of cruise liners, has confirmed in an SEC filing that one of its brands suffered a ransomware attack on 15th August that resulted in hackers gaining unauthorised access to the personal data of guests and employees.
The ransomware attack comes at a time when the Carnival Corporation, like many other multinational giants, is facing serious financial setbacks due to the coronavirus pandemic. The cruise ship operator was forced to reduce its fleet of ships by fifteen in July as a cost-cutting exercise.
Carnival Corporation operates a number of renowned cruise liner brands such as Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, AIDA Cruises, Costa Cruises, and P&O Cruises in the United Kingdom and Australia.
On Monday, the cruise liner giant disclosed in a filing with the U.S. Securities and Exchange Commission that one of its brands suffered a ransomware attack on 15th August that resulted in hackers gaining access to internal IT systems, encrypting a portion of the systems, and stealing the personal data of guests and employees.
"Based on its preliminary assessment and on the information currently known (in particular, that the incident occurred in a portion of a brand’s information technology systems), the Company does not believe the incident will have a material impact on its business, operations or financial results," Carnival stated in the filing.
"Although we believe that no other information technology systems of the other Company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company’s brands will not be adversely affected," it added.
The company also stated that as soon as the ransomware attack was detected, it launched an investigation, notified law enforcement authorities, and engaged legal counsel and other incident response professionals. Carnival Corporation is also working with industry-leading cybersecurity firms "to immediately respond to the threat, defend the Company’s information technology systems, and conduct remediation."
Commenting on Carnival Corporation suffering a ransomware attack this week, Dan Panesar, director of UK and Ireland at Securonix, said that this attack is particularly nasty as the hackers have gained access and stolen the ‘holy grail’ of information, including personal details, credit cards, and social security numbers; all the essentials to perform some pretty nasty identity fraud on its customers.
He added that in order to match hackers in terms of resources and skills, security teams at organisations need to use behavioural analytics to spot abnormal behaviour before it causes real problems. They can also use automation to focus only on the severe or real threats, reduce their overall burden, ensure better visibility, respond faster to attacks, and further strengthen their security posture.
This is the second time this year that Carnival Corporation has had to disclose a major security incident to law enforcement authorities and its customers. In March, Princess Cruises, one of Carnival's well-known cruise lines, said that between 11th April and 23rd July 2019, hackers accessed multiple employee email accounts that contained the personal information of guests, crew, and employees.
Princess Cruises said the data security incident potentially compromised names, addresses, Social Security numbers, passport numbers, driver's license numbers, credit cards, financial account information, and health-related information of passengers and staff. This data leak was not specific to each guest and the company does not have any evidence of misuse of this personal information so far.