A year hasn’t passed yet still, Carnival Cruise corporation had to confront another cyberattack, the fourth this year, that led to breaches and two ransomware attacks!
Carnival Cruise Corporation
- Is currently the world’s largest travel leisure company with more than 150.000 employees in 150 countries and approximately 13 million guests each year.
- The corporation operates nine of the world’s leading cruise line brands like Carnival Cruise line, Costa, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Seabourn, and Cunard.
- They also operate a travel company (Holland America Princess Alaska Tours).
What actually happened?
Roger Frizzell, Carnival’s Senior Vice President and chief communication officer reported that:
“It appears that in mid-March, the unauthorised third-party gained access to certain personal information relating to some of our guests, employees, and crew. The impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or another safety testing.”
Affected customers received a data breach notification letter where Carnival mentioned that “unauthorized third-party access to a limited number of e-mail accounts” was detected in mid-March.
In the letter sent on Thursday about the data breach, the company affirmed that there is proof showing “a low likelihood of the data being misused.” According to the data breach notification, the stolen information included:
- phone numbers
- passport numbers
- health information
- dates of birth
They also gained access to additional personal information like national identification numbers or Social-Security.
In March 2020, roughly 15 months ago, Carnival Cruise lines reported dealing with a data breach. At that time, personal data such as names, Social Security numbers, addresses, passport number/driver’s license numbers, financial account, credit card information, and health-related information have been accessed by attackers.
Last October, which means seven months later, Carnival said that they had suffered another cyberattack, now with ransomware, on August 15. This attack affected three cruise lines: Carnival Cruise Line, Seabourn, and Holland America Line.
Two days after the incident, on August 17, Carnival revealed that they were dealing with a ransomware attack. The company found out that hackers gained access and encrypted some information of one brand’s IT systems and downloaded data files, which finally led them to employee’s and customer’s information.
Sergiu Gatlan from BleepingComputer’s discovered a fourth ransomware attack, detected in December. Carnival detailed the attack in a 10-Q form filed with the SEC (Securities and Exchange Commission) this past April. The reported form says that the “investigation and remediation phases” of that cyberattack with ransomware were still ongoing at that time.
Opinions on the recent event
After the most recent attack, security experts gave their opinion on what’s happening with Carnival’s defense system!
Chris Hauk, consumer privacy Champion at Pixel Privacy, predicted that: “With the expected increase in vacation and business travel this coming year, all things travel will begin to look like appetising targets for the bad actors of the world.”
He also stated that the cruise line’s history failed to protect itself from such attacks!
His advice for preventing unauthorized third-party access to data:
- Updating all systems to ensure that the latest security patches have been applied
- Educate employees and executives about the risk of opening links or download attachments found in emails and text messages.
On the other hand, Erich Kron, a security awareness advocate at KnowBe4, has something to say about the event too! He stated that these attacks start when people are booking trips after the long travel shutdown due to COVID-19. “The type of data and the sheer volume of it being collected by Carnival can be very valuable to attackers, so it is no big surprise they have been a target.” according to Erich.
Erich explains that these attacks usually started with phishing attacks by email, so it is very recommended for organizations to invest more in high-quality email filtering and training employees about spotting email phishing attacks and proper password hygiene.
A threat intelligence advisor at Netenrich, John Bambenek, affirms that at this point, it seems like Carnival is just asking for it:
He also believes that the company’s vulnerability shows to the world what an easy target they are, which can lead to more frequent and serious attacks.
For more investigations, a cybersecurity firm was cooperating to find out more about the attack. Investigation revealed unauthorized third-party access to some personal data relating to some of the guests, employees, and crew from Holland America Line, Princess Cruises, and Carnival Cruise Line, but also medical operations.
The company also has established a call center dedicated to answering questions about the event from guests, employees, crew, and other people whose personal data has been compromised!