Carnival Corp Attacked by Ransomware, Guest & Employee Data Breached

Carnival Corporation announced today that one of its brands has fallen victim to a ransomware attack, and it is launching an investigation into the matter. In a regulatory filing to the US Securities and Exchange Commission, the company indicated that the attack included unauthorized access to personal data of both guests and employees. They have not yet specified which brand was affected.

The corporation owns and operates Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, AIDA Cruises, Costa Cruises, and P&O Cruises. Like the rest of the travel industry, it has been severely affected by the COVID-19 pandemic. 

In a statement, Carnival said “Promptly upon its detection of the security event, the company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals. While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its IT systems. The company is working with industry-leading cyber security firms to immediately respond to the threat, defend the company’s IT systems, and conduct remediation. Nonetheless, we expect that the security event included unauthorised access to personal data of guests and employees, which may result in potential claims. Although we believe that no other IT systems of the other company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other IT systems of the other company’s brands will not be adversely affected.”

In Carnival Corp’s 8-K filing, the company said that the cyber criminals who accessed its systems also downloaded data files, which means that it may be at risk of a double extortion attack. The company also indicated that there is no guarantee that the IT systems of its other brands will not be affected, though they don’t yet have reason to believe that they will be. 

Carnival Corporation is the world’s largest cruise operator. It employs over 150,000 staff and during normal non-pandemic times, welcomes 13 million people aboard its ships each year. The company said that it doesn’t believe the incident will have a material impact on its business, operations, or financial results. 

If you believe your personal information may be at risk, the following are a few things consumers can do to ward against identity theft.

• Contact the three main credit reporting agencies (Equifax, Experian, and TransUnion) for a credit report to see if there has been any recent activity. There are several that offer a free annual report.
• Sign up for identity theft protection with a company such as LifeLock, Identity Guard, Experian, etc. Many employers will offer discounted rates for one of these services, so be sure to check with your HR department to see if your company has a preferred vendor.
• Check with your credit card company to ensure there have been no fraudulent charges or unauthorized activity. Many credit cards have free online access or an app that you can easily scroll through recent activity to see if anything looks suspicious. 

If you find any unauthorized activity, be sure to report it immediately. Regularly checking your credit and monitoring for suspicious activity is a good idea even in the best of times.

Sources: Carnival Corporation, Computer Weekly, and Reuters UK