Carnival Corp., the world’s largest cruise-ship operator, has sprung a leak! For the 2nd time in a year, attackers have breached email accounts & accessed personal, financial & health information belonging to guests, employees & crew.
This is the 4th time in just over a year that Carnival has admitted to breaches, with 2 of them being ransomware attacks.
Carnival is quite a group : Its cruise brands include Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK) & Cunard. It also operates Holland America Princess Alaska Tours, a tour company that sails around Alaska & the Canadian Yukon.
In a data breach notification letter sent to affected customers & 1st spotted by Bleeping Computer, Carnival said that “unauthorised 3rd-party access to a limited number of email accounts” was detected in mid-March.
Carnival’s SVP & Chief Communications Officer Roger Frizzell later stated that the attackers also gained access to “limited portions of its information technology systems.”
“It appears that in mid-March, the unauthorised 3rd-party gained access to certain personal information relating to some of our guests, employees & crew,” Frizzell reportedly stated.
“The impacted information includes data routinely collected during the guest experience & travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing.”
In its data breach notification, sent on Thurs., the company added that there is evidence indicating “a low likelihood of the data being misused.”
According to the letter, the improperly accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, &, in some limited instances, additional personal information such as Social-Security or national-identification numbers.
This is the 4th time in a bit over a year that Carnival has admitted to breaches, with 2 of them being ransomware attacks.
15 months ago, in Mar. 2020, Carnival Cruise Lines disclosed that it was hit with a data breach: Threat players accessed names, addresses, Social Security numbers, passport numbers or driver’s-license numbers, credit-card & financial account information, & health-related information.
7 months later, last Oct., Carnival disclosed that it had suffered a ransomware attack on the previous Aug. 15 that affected 3 cruise lines: Carnival Cruise Line, Holland America Line & Seabourn. At the time, Carnival claimed that there was a “low likelihood of the data being misused,” just as it observed about the most recent May attack.
Carnival had already revealed that it was the target of a ransomware attack on Aug. 17, 2 days after the attack. At the time, the company acknowledged that hackers had accessed & encrypted a portion of 1 brand’s IT systems & had downloaded data files, getting access to customers’ & employees’ information.
Bleeping Computer’s Sergiu Gatlan came across a 4th, previously undisclosed ransomware attack, detected in Dec., that Carnival detailed in a 10-Q form filed with the SEC this past April. The form reportedly noted that the “investigation and remediation phases” of that ransomware attack was still ongoing at the time.
After this most recent attack, security experts pondered what, exactly, is up with Carnival’s defences.
“I’m not surprised that there have been additional attacks against Carnival,” observed Chris Hauk, Consumer Privacy Champion at Pixel Privacy. He suggested in an email on Fri. that the cruise line’s history shows that it has failed to take steps to protect itself from attacks like these.
That’s too bad, given what an attractive target the travel industry is for threat actors, Hauk continued. “With the expected increase in vacation & business travel this coming year, all things travel will begin to look like appetising targets for the bad actors of the world,” he outlined.
Updating all Systems
His advice to help prevent unauthorised 3rd-party access to data starts with “updating all systems to ensure that the latest security patches have been applied,” he advised, & to educate employees & executives as to the risk of opening links or attachments found in emails & text messages.
Erich Kron, security awareness advocate at KnowBe4, noted that these attacks come just as people start to book trips after the long COVID-19 travel shutdown. That comes as no surprise, given the high value of the data that travel companies collect, he noted on Fri.
“The type of data & the sheer volume of it being collected by Carnival can be very valuable to attackers, so it is no big surprise they have been a target,” he observed.
“Most large cruises, by their very nature, tend to visit ports in foreign countries, so they must collect sensitive information to be used for customs preparation & other purposes related to the travel. This includes Social-Security numbers, passport numbers, full names, addresses, phone numbers & much more – all data that could be easily used to steal identities or open accounts in potential victims’ names.”
Kron explained that these types of attacks are often started through updating all systems attacks, making it wise for organisations to invest in high-quality email filtering & an employee training program focused on spotting email phishing attacks & on using proper password hygiene.
He also suggested investing in data-loss prevention (DLP) solutions & enabling multi-factor authentication on accounts.
Stock Price Pain, Security Gain?
Paul Bischoff, Privacy Advocate at Comparitech, echoed Hauk in saying that he would be “extremely hesitant” to trust the company with his personal information. “As these attacks become a pattern instead of isolated incidents, I have to wonder whether Carnival is really prioritising cyber-security or if it’s just an afterthought,” he explained on Fri.
Bischoff noted that Carnival’s stock price has not significantly suffered from any of its recent data incidents. It was down 2% Thur. evening following its breach disclosure, & it was down about 1% on Fri. morning.
At this rate, the company does not have much incentive to fix whatever is causing these breaches, he observed “If shareholders continue to profit from the status quo, it’s unlikely the company will invest in better cyber-security technology & talent.”
Asking For It
John Bambenek, Threat Intelligence Advisor at Netenrich, claimed that at this point, it looks like Carnival’s just asking for it:
“The fact that Carnival has been hit 3 times in under a year means some serious questions need to be asked on what this company is doing to protect its sensitive information,” he suggested. “At a certain point, they are advertising to the world that they are an easy target & can look forward to more frequent & serious attacks.”