British-American cruise operator Carnival has suffered a ransomware attack in which guest and employee data was accessed, it has revealed in a regulatory filing.
The Miami-headquartered travel giant — which operates big-name brands including Cunard, P&O, AIDA and Princess — said the attack was discovered on August 15.
Attackers managed to encrypt “a portion” of the IT systems one of its brands, although Carnival refused to elaborate on which company had been hit.
“The company does not believe the incident will have a material impact on its business, operations or financial results. Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,” it continued.
“Although we believe that no other information technology systems of the other company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other company’s brands will not be adversely affected.”
Carnival said that it has notified law enforcement, engaged legal counsel and hired incident response professionals who have helped to implement containment and remediation measures.
The attack comes at a bad time for the company, which has been hit hard by the current pandemic and a collapse in global tourism. Last month it was forced to borrow another $1bn to stay afloat, adding to around $7bn it had previously secured.
Steve Durbin, managing director of the Information Security Forum, argued that many organizations’ systems may have been exposed of late due to mass home working by employees.
“To protect against the scale and scope of these threats, an organization will be forced to rethink its defensive model, particularly its business continuity and disaster recovery plans. Established plans that rely on employees being able to work from home, for example, do not stand up to an attack that removes connectivity or personally targets individuals as a means of dropping ransomware into the corporate infrastructure,” he said.
“Revised plans should cover threats to periods of operational downtime caused by attacks on infrastructure, devices or people. Creating a cyber-savvy workforce that takes information security seriously, while fostering a culture of trust, will help to eradicate poor security practices as well as reduce the number and scale of incidents.”