Largest Cruise Line Operator Carnival Confirms Ransomware Data Theft

Carnival Corporation, the world’s largest cruise line operator, has confirmed that the personal information of customers, employees, and ship crews was stolen during an August ransomware attack.

Carnival is included in both the S&P 500 and the FTSE 100 indices and it has more than 150,000 employees from roughly 150 countries and over 13 million guests each year.

The company operates nine cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, Seabourn) and a travel tour company (Holland America Princess Alaska Tours).

The ransomware attack Carnival refers to took place on August 15, 2020, and it was disclosed via an 8-K form filed with the Securities and Exchange Commission (SEC) two days later, on August 17.

At the time, the company said that only one of its brands was affected in the ransomware incident and that it expected that “the security event included unauthorized access to personal data of guests and employees.”

Also Read: How To Check Data Breach And How Can We Prevent It

Data theft confirmed in SEC filing

In a 10-Q form filed with the SEC yesterday, Carnival confirmed that the unknown ransomware gang was able to gain access to personal information of both customers and employees during the attack.

The discovery was made during an investigation led by a major cybersecurity firm hired by Carnival following the August 15 incident. The company also notified data regulators and relevant law enforcement agencies.

“While the investigation is ongoing, early indications are that the unauthorized third-party gained access to certain personal information relating to some guests, employees, and crew for some of our operations,” Carnival said. “There is currently no indication of any misuse of this information.”

“While at this time we do not believe that this information will be misused going forward or that this incident will have a material adverse effect on our business, operations, or financial results, no assurances can be given, and further, we may be subject to future attacks or incidents that could have such a material adverse effect,” Carnival added.

Even though the filing does not name the ransomware strain used to encrypt systems, BleepingComputer knows of more than 22 different ransomware operations that steal and leak sensitive documents and info as part of their attacks.

When contacted by BleepingComputer in August, Carnival said that they are “not planning to discuss anything beyond the 8K filing at this point since it is early in the investigation process.”

Also Read: What Is Pentest Report? Here’s A Walk-through

Vulnerable Carnival Citrix and Palo Alto servers

Cybersecurity intelligence firm Bad Packets discovered several potential points of initial compromise that the ransomware attackers might have used as an entry point into Carnival’s network.

Multiple Citrix ADC (NetScaler) devices and Palo Alto Networks firewalls were found to be vulnerable to CVE-2019-19781 (patched in January 2020) and CVE-2020-2021 (patched at the end of June 2020) exploits, respectively.

Both these vulnerabilities can be used by ransomware gangs as stepping stones to breach a corporate network allowing them to move laterally and collecting credentials needed to take over admin accounts and the Windows domain controller.

World's largest cruise line operator Carnival hit by ransomware – @LawrenceAbramshttps://t.co/idsscpsQJx

— BleepingComputer (@BleepinComputer) August 17, 2020

Even though Carnival did not disclose if any of these servers were compromised during the August 2020 incident, ransomware gangs are regularly scanning for and exploiting such vulnerable devices in their attacks.

The ransomware attack came after a data breach Carnival announced in March 2020 that led to the exposure of customers’ personal and financial information after an unknown threat actor gained access to employee email accounts.