Carnival Cruise lines, reeling since the start of the global pandemic, has a new problem. Recently, the company disclosed that they were the victims of a ransomware attack.
Carnival's disclosure was almost frighteningly uninformative. The company gave no clear indication which of their brands was impacted, how widespread the damage was, how many guest records were stolen, or any other useful data points.
Their disclosure reads, in part, as follows:
"On August 15, 2020, Carnival Corporation and Carnival plc (together, the "Company," "we," "us," or "our") detected a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The unauthorized access also included the download of certain of our data files.
...we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies."
Several companies reached out to Carnival for additional information but all received the following stock reply:
"We are not planning to discuss anything beyond the 8k filing at this point since it is early in the investigation process."
On the face of it, that seems reasonable, and yet, this is not the first time we've seen a company fall victim to such an attack. When they do, their disclosures are categorically more informative than the one Carnival made.
Independent security researchers have jumped into the fray and begun their own investigations and researchers from the company "Bad Packets" discovered that Carnival has a number of Citrix servers that were vulnerable to CVE-2019-19781 and CVE-2020-2021.
Both of these vulnerabilities would have allowed an attacker easy access to the company's network. Worst of all, the first issue has had a patch available since January 2020, and the second was patched in June of this year (2020).
If those issues prove to be the way the attackers gained access to the system, then this attack was essentially a self-inflicted wound. We'll know for sure in time. In the meantime, if you've been on a Carnival cruise at any time, keep a sharp eye on the payment cards you used to book the trip. You may have trouble heading your way.
About the Author
Marty Parker
Owner & General Manager
Marty is the Owner and General Manager of Heritage Digital. Marty has managed and built high-performing IT teams for over 30 years. He served 13 years in the manufacturing industry and 13 years in corporate-owned healthcare organizations. Before acquiring Heritage Digital, Marty was the Chief Information Officer of Carolinas Hospital System (now MUSC Health Florence Medical Center) in Florence, SC. Marty is passionate about educating and protecting people against cybercriminals.
