Cruise line operator Carnival Corporation suffers a ransomware attack

The world’s largest cruise line operator Carnival Corporation has disclosed that one of their brands suffered a ransomware attack over the past weekend.

Cruise line operator Carnival Corporation has disclosed that one of their brands was hit with a ransomware attack over the past weekend.

Carnival Corporation & plc is a British-American cruise operator, currently the world’s largest travel leisure company, with a combined fleet of over 100 vessels across 10 cruise line brands. A dual-listed company,

Carnival Corporation has over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn.

In an 8-K filing with the US Securities Exchange Commission (SEC), the cruise line operators revealed that the incident took place on August 15.

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files,” states the 8-K form filed with the SEC.

“Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,”

The Carnival IT staff confirms that the ransomware operators may have stolen personal data of guests and employees, according to the filing the unauthorized access also included the download of certain of our data files.

The filing does not provide details about the attack, it is not clear the family of ransomware that hit the company.

“Based on its preliminary assessment and on the information currently known (in particular, that the incident occurred in a portion of a brand’s information technology systems), the Company does not believe the incident will have a material impact on its business, operations or financial results. Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies. Although we believe that no other information technology systems of the other Company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company’s brands will not be adversely affected.” continues the form 8-K.

Upon the discovery of the security incident, the Company launched an investigation and notified law enforcement, it also hired legal counsel and cyber security professionals. The company also announced to have already implemented a series of containment and remediation measures to respond to the incident and reinforce the security of its information technology systems.

In March, Carnival Corporation disclosed another data breach that took place in 2019. The company informed customers of the incident, a third-party gained unauthorized access to their personal information.

Exposed guests’ personal information included name, address, Social Security number, government identification number, such as passport number or driver’s license number, and health-related information. For some clients, credit card and financial account information might have been exposed.

It is interesting to note that according to cybersecurity intelligence firm Bad Packets, Carnival utilizes vulnerable Citrix devices that can be exploited by an attacker to access the corporate network.

The company was using Citrix servers vulnerable to the CVE-2019-19781 flaw that affects Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

BadPackets also speculate that another entry point in the Carnival network could be CVE-2020-2021 issue in the the PAN-OS operating system.

The flaw could allow unauthenticated network-based attackers to bypass authentication, it has been rated as critical severity and received a CVSS 3.x base score of 10.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking,Carnival)

[adrotate banner=”5″]

[adrotate banner=”13″]