Cruise operator Carnival PLC has confirmed that the company has been hit by a wide sprawling ransomware attack, with hackers holding sensitive information on customers and staff until a ransom is paid.
Carnival, who owns nine of the largest cruise ships in the world, has filed a report to the United States Securities and Exchange Commission in Washington DC, telling the commission that the company was hit by an attack on August 15.
“On August 15, 2020, Carnival Corporation and Carnival PLC detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems,” they wrote, adding that “the unauthorized access also included the download of certain of our data files.”
Carnival owns Carnival and Princess cruise lines, AIDA, P&O Australia, Costa, P&O Cruises, Holland American Line, Cunard, as well as Seabourn. The parent company has refused to specify which brand was hit by a cyber attack, but has stated that a ransomware attack on one brand could have moved to one or more of its subsidiaries.
Carnival Corporation has more than 150,000 employees and hosts as many as 13 million guests per year, however 2020 figures will be significantly lower due to the pandemic.
Carnival continued to explain that “while the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems.”
“The company is working with industry leading cybersecurity firms to immediately respond to the threat, defend the Company’s information technology systems, and conduct remediation.”
“We expect that the security event included unauthorised access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies.”
The filing was signed by Carnival’s Chief Financial Officer and Chief Accounting Officer, David Bernstein.
Researchers at Bad Packets have Tweeted that news of the ransomware attack was “not surprising given they had multiple Citrix servers vulnerable to CVE-2019-19781,” and added that this vulnerability “could be another initial vector of compromise as well.”
According to a report from Bleeping Computer, this server “when exploited, allow[s] a hacker to gain access to the company’s internal network… either of these vulnerabilities can be abused by ransomware operators to gain access to a corporate network silently.”
For more information on an ISO 27001 – Information Security Management System – or for your Free ISO 27001 Gap Analysis Checklist, click here.
“Once the attackers gain access, they spread laterally to other computers and harvest network credentials,” Lawrence Abrams continued to explain. “When they gain control over an administrator account and the Windows domain controller, the attackers deploy the ransom.”
“While it is not known if either of these vulnerabilities were used in Carnival’s attack, they are commonly abused by ransomware operators in these types of attacks,” Abrams concluded.
We’ve reported previously that ransomware attacks are becoming more frequent, with the demands of hackers increasing as much as 950%. Hackers are able to encrypt a system’s files, making them inaccessible to the owner of those files unless a ransom is paid, usually in the form of cryptocurrency which is notoriously difficult to trace.
The ransomware attack comes at a particularly difficult time for Carnival PLC, whose bottom line has been hit dramatically due to travel restrictions leaving the company seemingly unable to operate.
However, according to a report from CRN, “the company said it believed the incident will not have a material impact on its business, operations or financial results.”