Hackers accessed personal information of guests, employees and crew for three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed.
Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival is still investigating, the company said in an update on the situation this week. Carnival has been working with cybersecurity consultants to recover its files and believes there is a a “low likelihood of the data being misused,” the company said.
Carnival had already revealed that it was the target of a ransomware attack two days after the incident, on Aug. 17. At the time acknowledged that hackers had accessed and encrypted a portion of one brand’s information technology systems, as well as downloaded data files from the company.
Carnival continues to work “as quickly as possible to identify the guests, employees, crew and other individuals whose personal information may have been impacted,” according to the update. Within 30 to 60 days, Carnival plans to complete the process and notify those known to be affected, provided the company has their current contact information.
In the meantime, anyone who believes they may have been affected can contact a dedicated call center the company set up to answer questions regarding the event, Carnival said. “When the investigation is complete, callers may confirm whether or not their information was affected,” the company said.
Cruise operators, like many other touristic services-oriented companies, have been hit hard during the COVID-19 pandemic, which has inspired hackers to take advantage of their troubled situation. Indeed, threat actors have been on nearly constant attack across industries since March when news of the pandemic first hit across the world, inspiring business closures and stay-at-home orders that left organizations vulnerable.
Calling the attack “yet another example of the importance of proper investment in cyber security programs to protect company and customer data,” Terence Jackson, CISO at cloud privileged access management solution provider Thycotic, stressed continued vigilance as the pandemic persists.
“Attackers are not taking it easy during the pandemic,” he said in an e-mail to Threatpost. “They are stepping the attacks up and we have to be ready.”
Business continuity and disaster recovery are two areas companies should consider bolstering during this unique time of vulnerability to attacks, noted Steve Durbin, managing director of the Information Security Forum.
“Established plans that depend on employees being able to work from home, for example, do not stand up to an attack that removes connectivity or personally targets individuals as a means of dropping ransomware into the corporate infrastructure,” he said in an e-mail to Threatpost. “Revised plans should cover threats to periods of operational downtime caused by attacks.”
For its part, Carnival said it is indeed taking proactive steps to bolster its security position, reviewing security and privacy policies and procedures and implementing changes when needed to enhance information security and privacy controls as it continues its review of the incident.
