Carnival Cruises hit by fourth cyber incident in a year

Following a March 2020 data breach in which a malicious actor stole personal data after accessing company email accounts, and two separate ransomware attacks, one in August and one in December, Carnival Cruises has disclosed another cyber security incident that resulted in the apparent theft of personally identifiable information (PII).

First reported by Bleeping Computer, the breach appears to have been the result of unauthorised third-party access to its IT systems. There is no indication that ransomware is involved on this occasion.

In a letter sent to affected customers – a copy of which was shared by Bleeping Computer – Carnival Cruises said it had detected the breach on 19 March 2021 and acted quickly to secure its systems. The compromised data relates to guests, employees and crew of its Carnival Cruise Line, Holland America Line and Princess Cruises, and may include names, contact details, passport details, birth dates, and in some circumstances US social security or other national ID numbers.

It said the data was routinely collected through the guest experience and travel booking process, and so it may also include data related to Covid-19 test results and vaccinations – Carnival is preparing to begin operating Covid-limited services on some of its vessels in the coming months.

The company said it had evidence of a “low likelihood” of the data being misused, but is nevertheless offering affected customers access to credit monitoring and identity theft detection services provided by Cyberscout for the next 18 months.

Erich Kron, KnowBe4 security awareness advocate, said the valuable nature of the data collected by organisations such as Carnival made it a target too tempting for cyber criminals to pass up.

“Most large cruises, by their very nature, tend to visit ports in foreign countries, so they must collect sensitive information to be used for customs preparation and other purposes related to the travel,” said Kron. “This includes social security numbers, passport numbers, full names, addresses, phone numbers and much more – all data that could easily be used to steal identities or open accounts in potential victims’ names.”

Meanwhile, Egress threat intelligence vice-president Jack Chapman offered guidance for Carnival customers. “I would urge any Carnival Cruises customers who have been affected by this breach to be wary of any unexpected communications they might now receive, whether over email, text messages or phone calls,” he said.

“Follow-up attacks may be highly convincing, utilising personal information accessed through this data breach to trick people into parting with further personal data that can be used for identity or financial theft.”

Paul Bischoff, privacy advocate at Comparitech, said this latest incident was likely to have damaging ramifications for Carnival, and would undoubtedly throw a harsher spotlight on its security posture.

“At this point, I would be extremely hesitant to trust the company with my personal information,” he said. “As these attacks become a pattern instead of isolated incidents, I have to wonder whether Carnival is really prioritising cyber security or if it’s just an afterthought.”

Bischoff noted that the firm’s stock price – which sank a couple of percentage points when the breach was disclosed – had not suffered significantly in the long term from any of its recent incidents, and that this tendency may be exacerbating the company’s tendency to get burnt.

“If shareholders continue to profit from the status quo, it’s unlikely the company will invest in better cyber security technology and talent,” he said.

Recent analysis by Comparitech found that the markets do “punish” corporations that fall victim to cyber security incidents, but not by much. It looked at the consequences of 40 breaches of listed firms and found that in 21 cases, the incident resulted in worse stock performance measured against the Nasdaq in the six months after a breach than the six months before, but only barely – those companies studied underperformed the Nasdaq by 2.6% before, but only 3% after.

Bischoff said tech and financial services companies tended to see the largest drop in their stock market performance after a breach, but e-commerce and social media companies were less affected. In breaches where sensitive information is leaked – such as Carnival’s – the drop is more immediate but in the long term, victims do not seem to suffer more.