Carnival confirms data breach as a result of the August ransomware attack

Pierluigi Paganini October 10, 2020

Carnival Corporation, the world’s largest cruise line operator, has confirmed a data breach as a result of the august ransomware attack.

Carnival Corporation, the world’s largest cruise line operator, has confirmed a data breach as a result of the ransomware attack that took place in August. Ransomware operators have stolen the personal information of customers, employees, and ship crews during the attack.

Carnival Corporation & plc is a British-American cruise operator, currently the world’s largest travel leisure company, with a combined fleet of over 100 vessels across 10 cruise line brands. A dual-listed company,

Carnival Corporation has over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn.

Carnival data breach
Source: Orlando Weekly

The company operates nine cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, Seabourn) and a travel tour company (Holland America Princess Alaska Tours).

In an 8-K filing with the US Securities Exchange Commission (SEC), the cruise line operators revealed that the incident took place on August 15.

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files,” states the 8-K form filed with the SEC.

“Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,”

The company also notified law enforcement agencies and data regulators.

At the time, the company revealed that only one of its cruise line brands was affected by the security breach.

Upon the discovery of the security incident, the Company launched an investigation and notified law enforcement, it also hired legal counsel and cyber security professionals. The company also announced to have already implemented a series of containment and remediation measures to respond to the incident and reinforce the security of its information technology systems.

Now the company filed a new In a 10-Q form with the SEC, it confirmed that an unknown ransomware gang also stole the personal information of its customers and employees. The company added that it is not aware of any misuse of the exposed information.

“On August 15, 2020, we detected a ransomware attack and unauthorized access to our information technology systems. We engaged a major cybersecurity firm to investigate the matter and notified law enforcement and regulators of the incident.” reads the 10-Q form.

“While the investigation is ongoing, early indications are that the unauthorized third-party gained access to certain personal information relating to some guests, employees, and crew for some of our operations.” “There is currently no indication of any misuse of this information.”

The company warns its customers of future attacks or incidents that could be linked to this security breach.

“While at this time we do not believe that this information will be misused going forward or that this incident will have a material adverse effect on our business, operations, or financial results, no assurances can be given, and further, we may be subject to future attacks or incidents that could have such a material adverse effect.” states the company.

In August, researchers from cybersecurity intelligence firm Bad Packets noticed that Carnival was utilizing vulnerable Citrix devices at the time of the attack. The experts speculate that the vulnerable equipment was targeted by the attacker to access the corporate network.

BadPackets also speculate that another entry point in the Carnival network could be CVE-2020-2021 issue in the the PAN-OS operating system.

In March 2020, Carnival Corporation disclosed another data breach that took place in 2019. The company informed customers of the incident, a third-party gained unauthorized access to their personal information.

Exposed guests’ personal information included name, address, Social Security number, government identification number, such as passport number or driver’s license number, and health-related information. For some clients, credit card and financial account information might have been exposed

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment