https://www.scmagazine.com/home/security-news/data-breach/carnival-must-right-the-ship-after-breaches-threaten-travelers-trust/?ocid=uxbndlbing
In this article, the author revealed that Carnival Cruise Lines detected a ransomware attack on August 15th that accessed and encrypted a portion of the technology systems of one of its brands and downloaded data files that contained customer personal information. Since 2019, Carnival has been the victim of two confirmed cyberattacks and a potential third attack, including a 2019 data breach that impacted the company’s Princess and Holland America cruise lines that was committed via deceptive phishing emails. It is noteworthy that this breach was initially identified in May 2019 and appears to have spanned the period from April 11 through July 23, 2019.
It is believed that the current breach may have resulted from Carnival’s use of vulnerable devices and their failure to apply available patches in a timely manner. Specifically, exploitation of a Citrix vulnerability (CVE-2019-19781) and a Palo Alto Firewall flaw (CVE-2020-2021) could have allowed hackers to gain unauthorized access to the corporate networks.
The author went on to state that, after learning about the prior breach in March 2020, cyber intelligence company Prevailion began sorting through its data relate to Carnival and discovered a malicious program. Prevailion attempted to warn Carnival, who failed to respond to their warnings. Prevailion refrained from going public with this information until the current breach was publicized.
It seems obvious that a thorough security assessment was not performed by or on behalf of Carnival after the breach that was identified in May 2019 since the networks were still so vulnerable to attack a year later. While data breaches are not always preventable, recurring breaches at the same company are difficult to ignore. Carnival claims the incident will not have a material impact on its business. However, it is difficult to measure the reputational harm that has been caused by this series of events. It is also too early to tell how significant the financial impact of allowing unauthorized access to the personal information of guest and employees may be on the world’s largest cruise operator.