Kalyakan - stock.adobe.com

Carnival cruise lines hit by ransomware, customer data stolen

Cruise ship operator is likely to be the victim of a major data breach after customer information is apparently stolen in a ransomware attack

Cruise ship operator Carnival Corporation has reported that it has fallen victim to an unspecified ransomware attack which has accessed and encrypted a portion of one of its brand’s IT systems – and the personal data of both its customers and staff may be at risk.

Carnival, which like the rest of the travel industry has been stricken by the Covid-19 pandemic – it also operates Princess Cruises, owner of the ill-fated Diamond Princess, which found itself at the centre of the initial outbreak – reported the incident to the US Securities and Exchange Commission (SEC) on 17 August.

In its form 8-K filing, the company said the cyber criminals who accessed its systems also downloaded a number of its data files, which suggests it may be at imminent risk of a double extortion attack of the sort perpetrated by the Maze and ReVIL/Sodinokibi groups.

“Promptly upon its detection of the security event, the company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals,” said Carnival.

“While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its IT systems. The company is working with industry-leading cyber security firms to immediately respond to the threat, defend the company’s IT systems, and conduct remediation.”

Carnival said that based on its preliminary assessment, and on the information currently known, the incident will not materially affect its business, operations or financial results.

“Nonetheless, we expect that the security event included unauthorised access to personal data of guests and employees, which may result in potential claims,” it said. “Although we believe that no other IT systems of the other company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other IT systems of the other company’s brands will not be adversely affected.”

Read more about ransomware attacks

Carnival is the world’s biggest cruise operator – it employs more than 150,000 staff and in more auspicious times welcomes 13 million people on board its ships every year. Besides Carnival Cruise Line and Princess Cruises, it also runs the Costa, P&O Australia, P&O Cruises, Holland American Line, AIDA, Cunard and Seabourn brands. It has not yet disclosed which of these operations was affected.

Dan Panesar, UK and Ireland director at Securonix, a specialist in security information and event management (SIEM), said that with the theft of personal data, the Carnival incident looked set to prove a particularly nasty one.

“It appears the attackers have used the classic diversion of a ransomware attack to divert attention from the real focus of the attack, which was to steal valuable and sensitive data,” he said.

Anurag Kahol, CTO at cloud security firm Bitglass, added: “The travel industry is an extremely attractive target to cyber criminals, as they can collect and store personally identifiable information [PII] on billions of passengers every year, including passport numbers, credit card information, email addresses and much more.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management