Cruise operator and the world’s largest travel leisure company Carnival Corporation was hit by a ransomware attack on August 15.
The company detected an attack on one of its brand’s information technology systems, which was accessed and encrypted by the attackers. “The unauthorised access also included the download of certain of our data files,” the company added.
Carnival owns a number of sub-brands, including P&O Cruises and Cunard Line in the UK, as well as Princess Cruises, the company behind the Diamond Princess and Ruby Princess, centres of recent Covid-19 outbreaks. Carnival did not say which of its brands had been affected.
It also did not say what type of data had been accessed, though a regulatory filing said that it included personal data of guests and employees. Carnival employs over 150,000 people and receives 13 million guests per year.
Carnival was previously hit by a cyberattack in 2019 after hackers gained access to several employee emails on two of its cruise liners. This resulted in unauthorised third-party access to the accounts.
The cruise operator said that it has implemented containment and remediation measures and has reinforced the security of its information technology systems.
“The company is working with industry-leading cybersecurity firms to immediately respond to the threat, defend the company’s information technology systems, and conduct remediation,” it said.
The company reported the attack to the US Securities and Exchange Commission on August 17.
- Garmin Still Recovering After Major Ransomware Attack Cripples Systems
- Global Ransomware Attack Hits Universities in UK, US and Canada
- Teesside Council Continues to Suffer Three-week Ransomware Attack
Carnival said that it does not believe the incident will have a material impact on its business, operations or financial results, based on the company’s preliminary assessment using information currently known.
“Nonetheless, we expect that the security event included unauthorised access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,” the company warned.
However, Carnival reassured people that it believes that the attack had not reached information technology systems from the company’s other brands. However, “there can be no assurance that other information technology systems of the other company’s brands will not be adversely affected,” the company said.
With the investigation still at an early date, it is unclear if Carnival has been hit with a request for funds, or whether the company will pay a ransom if one were demanded.
Due to curtailing its operations following the coronavirus outbreak, the company reported an adjusted net loss of US$2.4 billion for the second quarter of this year.