Carnival Corp., the world’s largest cruise-ship operator, has sprung another leak: For the second time in a year, attackers have breached email accounts and accessed personal, financial and health information belonging to guests, employees and crew.
Carnival has quite the armada: Its cruise brands include Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK) and Cunard. It also operates Holland America Princess Alaska Tours, a tour company that sails around Alaska and the Canadian Yukon.
In a data breach notification letter sent to affected customers and first spotted by BleepingComputer, Carnival said that “unauthorized third-party access to a limited number of email accounts” was detected in mid-March.
But Carnival’s SVP and chief communications officer Roger Frizzell later told the news outlet that the attackers also gained access to “limited portions of its information technology systems.”
“It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees and crew,” Frizzell reportedly said. “The impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing.”
In its data breach notification, sent on Thursday, the company added that there is evidence indicating “a low likelihood of the data being misused.”
According to the letter, the improperly accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information such as Social-Security or national-identification numbers.
Fourth Leak in Carnival’s Hull Over 15 Months
This is the fourth time in a bit over a year that Carnival’s admitted to breaches, with two of them being ransomware attacks.
Fifteen months ago, in March 2020, Carnival Cruise Lines disclosed that it was hit with a data breach: Threat actors accessed names, addresses, Social Security numbers, passport numbers or driver’s-license numbers, credit-card and financial account information, and health-related information.
Seven months later, last October, Carnival disclosed that it had suffered a ransomware attack on the previous Aug. 15 that affected three cruise lines: Carnival Cruise Line, Holland America Line and Seabourn. At the time, Carnival said that there was a “low likelihood of the data being misused,” just as it said about the most recent May attack.
Carnival had already revealed that it was the target of a ransomware attack on Aug. 17, two days after the attack. At the time, the company acknowledged that hackers had accessed and encrypted a portion of one brand’s IT systems and had downloaded data files, getting access to customers’ and employees’ information.
BleepingComputer’s Sergiu Gatlan came across a fourth, previously undisclosed ransomware attack, detected in December, that Carnival detailed in a 10-Q form filed with the SEC this past April. The form reportedly noted that the “investigation and remediation phases” of that ransomware attack was still ongoing at the time.
Protecting Data from Becoming Flotsam & Jetsam
After this most recent attack, security experts pondered what, exactly, is up with Carnival’s defenses.
“I’m not surprised that there have been additional attacks against Carnival,” observed Chris Hauk, consumer privacy champion at Pixel Privacy. He suggested to Threatpost in an email on Friday that the cruise line’s history shows that it’s failed to take steps to protect itself from attacks like these.
That’s too bad, given what an attractive target the travel industry is for threat actors, Hauk continued. “With the expected increase in vacation and business travel this coming year, all things travel will begin to look like appetizing targets for the bad actors of the world,” he said. His advice to help prevent unauthorized third-party access to data starts with “updating all systems to ensure that the latest security patches have been applied,” he advised, and to educate employees and executives as to the risk of opening links or attachments found in emails and text messages.
Erich Kron, security awareness advocate at KnowBe4, noted that these attacks come just as people start to book trips after the long COVID-19 travel shutdown. That comes as no surprise, given the high value of the data that travel companies collect, he noted in an email to Threatpost on Friday.
“The type of data and the sheer volume of it being collected by Carnival can be very valuable to attackers, so it is no big surprise they have been a target,” he said. “Most large cruises, by their very nature, tend to visit ports in foreign countries, so they must collect sensitive information to be used for customs preparation and other purposes related to the travel. This includes Social-Security numbers, passport numbers, full names, addresses, phone numbers and much more – all data that could be easily used to steal identities or open accounts in potential victims’ names.”
Kron explained that these types of attacks are often started through email phishing attacks, making it wise for organizations to invest in high-quality email filtering and an employee training program focused on spotting email phishing attacks and on using proper password hygiene. He also suggested investing in data-loss prevention (DLP) solutions and enabling multi-factor authentication on accounts.
No Stock Price Pain, No Security Gain?
Paul Bischoff, privacy advocate at Comparitech, echoed Hauk in saying that he’d be “extremely hesitant” to trust the company with his personal information. “As these attacks become a pattern instead of isolated incidents, I have to wonder whether Carnival is really prioritizing cybersecurity or if it’s just an afterthought,” he told Threatpost via email on Friday.
Bischoff noted that Carnival’s stock price hasn’t significantly suffered from any of its recent data incidents. It was down 2 percent Thursday evening following its breach disclosure, and it was down about 1 percent on Friday morning. At this rate, the company doesn’t have much incentive to fix whatever’s causing these breaches, he said: “If shareholders continue to profit from the status quo, it’s unlikely the company will invest in better cybersecurity technology and talent.”
John Bambenek, threat intelligence advisor at Netenrich, said that at this point, it looks like Carnival’s just asking for it: “The fact that Carnival has been hit three times in under 12 months means some serious questions need to be asked on what this company is doing to protect its sensitive information,” he opined in an email to Threatpost on Friday. “At a certain point, they are advertising to the world that they are an easy target, and can look forward to more frequent and serious attacks.”
061821 12:38 UPDATE: Carnival’s SVP and chief communications officer Roger Frizzell confirmed the March 19 discovery of the breach to Threatpost on Friday. He said via email that “several months ago (on March 19), Carnival Corporation detected unauthorized third-party access to limited portions of its information technology systems. Information Security at Carnival Corporation acted quickly to shut down the event and prevent further unauthorized access.
“A cybersecurity firm was engaged to investigate the matter, and regulators were notified. The investigation revealed unauthorized third-party access to certain personal information relating to some guests, employees and crew for Carnival Cruise Line, Holland America Line, Princess Cruises and medical operations. There is evidence indicating a low likelihood of the data being misused.
“The company has notified guests, employees, crew and other individuals whose personal information may have been impacted. It also has established a dedicated call center to answer questions regarding the event. As part of its ongoing operations, the company is continuing to review security and privacy policies and procedures and has been implementing changes as needed to enhance our information security and privacy program and controls.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.