Cruise ship operator Carnival hit by ransomware

The cyberattack was performed over the weekend

Carnival Corporation disclosed ransomware attack, during which personal data of customers and employees was stolen

Carnival Corporation, the largest cruise ship operator, has disclosed a cybersecurity incident. In the K-8 filing^[1] with the US Securities Exchange Commission (SEC), which was published on August 15, 2020, it was reported that the company had suffered a ransomware attack, which resulted in some data encryption on information technology systems. The filing also stated that some personal information of customers and employees was downloaded by the unauthorized party.

Carnival Corporation & PLC is the largest leisure company in the world, employing line brands such as Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK) and Cunard.^[2] It holds a fleet of more than 100 ships that 13 million guests choose every year, and employs 150,000 people across 150 countries worldwide.

Carnival Corporation is investigating the incident: no actors or ransomware name yet revealed

Carnival claimed that it took all the necessary measures to secure the networks and servers all across the company. It was also said that relevant he law enforcement agencies were informed about the breach and that the company is closely cooperating with third-party forensics to investigate the incident further:

While the investigation of the incident is ongoing, the Company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems. The Company is working with industry-leading cybersecurity firms to immediately respond to the threat, defend the Company’s information technology systems, and conduct remediation.

Since the attack is fairly recent, it is yet not clear what ransomware-operating gang is behind the unauthorized intrusion and data theft. However, we are likely to see one of the more prominent cybercriminal gangs (such as Maze or Sodinokibi) behind an attack against such a large-scale target.

These cybercriminal groups began using new tactics against corporations: they do not only encrypt data on the infected networks but also steal information before that. That means that the attackers spend some time on the company's network before deploying ransomware for file encryption. If the victim does not agree to pay the demanded ransom, the attackers then publish the corporate and personal information online to cause maximum damage to the company.^[3]

Carnival says the ransomware attack will not impact its business

In many cases, ransomware attacks can be a devastating blow to corporations and businesses, as recovery costs, ruined reputation, customer compensations can cause significant damages and even result in bankruptcy or employee layoffs.^[4] The impact on the business often depends on the scope of the attack, however – encrypted files can often be restored from backups (if malware does not encrypt them as well).

Data breaches are exceptionally common, and companies like Capital One,^[5] Marriott, Facebook, and many others already paid the price for insufficient security practices that compromised the online safety of customers/users.

Despite this, Carnival Corporation claims that the ransomer attack impact on the business or its profits will be minimal:

Based on its preliminary assessment and on the information currently known (in particular, that the incident occurred in a portion of a brand’s information technology systems), the Company does not believe the incident will have a material impact on its business, operations or financial results.

While the scope of the breach and what type of information was harvested from Carnival Corporation servers remains unknown, clients of the cruise ships should take this incident seriously. Stolen information can be used by cybercriminals in various malicious ways – users might be more susceptible to targeted phishing attacks, scams, of even monetary losses.