Have you been on Carnival Lines recently?
Carnival Cruise lines, reeling since the start of the global pandemic, has a new problem. Recently, the company disclosed that they were the victims of a ransomware attack.
Carnival's disclosure was frighteningly uninformative. The company gave no clear indication of which of their brands was impacted, how widespread the damage was, how many guest records were stolen, or any other useful data points.
The disclosure reads as follows
"On August 15, 2020, Carnival Corporation and Carnival plc (together, the "Company," "we," "us," or "our") detected a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The unauthorized access also included the download of certain of our data files.
...we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies."
When asked for additional information all that was received the following stock reply
"We are not planning to discuss anything beyond the 8-K filing at this point since it is early in the investigation process."
On the face of it, that seems reasonable, and yet, this is not the first time we've seen a company fall victim to such an attack. When they do, their disclosures are categorically more informative than the one Carnival made.
Independent security researchers have jumped into the fray and begun their own investigations and researchers from the company "Bad Packets" discovered that Carnival has a number of Citrix servers that were vulnerable to CVE-2019-19781 and CVE-2020-2021.
Both of these vulnerabilities would have allowed an attacker easy access to the company's network. Worst of all, the first issue has had a patch available since January 2020, and the second was patched in June of this year (2020).
Our perspective
If those issues prove to be the way the attackers gained access to the system, then this attack was a self-inflicted wound. We'll know for sure in time. In the meantime, if you've been on a Carnival cruise at any time, keep a sharp eye on the payment cards you used to book the trip. You may have trouble heading your way.
~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~
By Denis Wilson and Melissa Stockwell
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I'm Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people/process/technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective office productivity and out-sourced service solutions for over 20 years, focusing principally on manufacturing, professional services, and healthcare. Our hallmarks are cloud and on-premises network reliability, cost-effective cybersecurity, and livable small business regulatory compliance.
I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs. Contact me if you would like me to speak at your association
