author photo
By Clare O’Gara
Tue | Aug 18, 2020 | 10:14 AM PDT

Talk about kicking someone, or some organization, when it's down.

The Carnival Corporation, which has canceled cruises for months now as a result of COVID-19, says one of its cruise brands was hit with a ransomware cyberattack.

Carnival owns Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK), and Cunard.

What do we know about the Carnival Cruises ransomware attack?

The cruise line did not specify which of its cruise brands was impacted.

Right now, everything we know comes from the company's special filing with the U.S. Securities and Exchange Commission, notifying the SEC of the data breach.

  • Hackers encrypted some files.
  • Hackers exfiltrated (removed) some data.
  • Remediation is underway.

Here is Carnival Corporation's ransomware and cyber incident statement, in full:

On August 15, 2020, Carnival Corporation and Carnival plc (together, the "Company," "we," "us," or "our") detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files.

Promptly upon its detection of the security event, the Company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals.

While the investigation of the incident is ongoing, the Company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems. The Company is working with industry leading cybersecurity firms to immediately respond to the threat, defend the Company's information technology systems, and conduct remediation.

Based on its preliminary assessment and on the information currently known (in particular, that the incident occurred in a portion of a brand’s information technology systems), the Company does not believe the incident will have a material impact on its business, operations or financial results.

Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies. Although we believe that no other information technology systems of the other Company's brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company's brands will not be adversely affected.

Ransomware attacks 2020: what do cybercrminals want?

Security researcher and pentester Vinny Troia tells SecureWorld that although some hackers love making headlines and the notoriety of it all, most have a very specific motivation for their attacks:

"Money, money. At the end of the day, it almost always comes back to money," says Troia.

And Steve Durbin, managing director of the Information Security Forum, explains how ransomware attacks are being used to achieve this end:

"Ransomware attackers are not interested in stealing assets and using them to cause damage, but in exploiting the value of the asset to its owner.  When striking at organizations, attackers will target systems that are fundamental to business operations, some of which may be operating in an unprotected manner or which may have been unwittingly exposed during the COVID-19 response when workers were forced to access corporate systems from home."

We've seen this repeatedly, where stolen data is used as leverage. Without a ransom payment, the attackers threaten to destroy or publish the data they downloaded during an attack.

Sometimes hackers have even used this stolen information to blackmail customers directly

Was there a ransom demand in the Carnival attack? And if so, how much? This remains to be seen.

Ransomware attacks: another argument for cyber insurance?

Caroline Thompson, Head of Underwriting at Cowbell Cyber, says an attack like this reinforces the importance of cyber insurance:

"[Cyber insurance] is often overlooked that in the case of ransomware, the damage to an organization goes well beyond the need to pay the ransom if a readily available backup, which is the preferred solution, is not an option. Business interruption, loss of revenue and reputational damages are all financial burdens that cyber insurance can provide relief for. Partnering with a trusted insurance carrier with dedicated cybersecurity expertise is a must."

And cyber attorney Shawn Tuma tells SecureWorld he agrees with that sentiment.

"In my experience—and I've been in cyber law for 20 plus years now, dealing with various forms of cyber issues, serving in the incident response capacity, which is where most of my work is right now—there are two things that I have found to be absolutely critical to the resilience of a company when they get hit, so how well they can handle and respond to those hits. And number one is cyber insurance. Cyber insurance is what pays for you to do what you need to do to have a proper response."

Tuma also says cyber risk in general, and ransomware specifically, may be the greatest business risk an organization can face. And he's comfortable making that statement even during the COVID-19 pandemic:

"I cannot think of any other risk that businesses regularly face where the CEO can go to sleep tonight and lay their head on their plush, beautiful pillows, with the company running well, doing fine, production operations going, and then wake up tomorrow morning to find they're completely out of business because of an event that happened overnight, such as a ransomware attack."

And Tuma says companies with cyber insurance are much more likely to survive that type of sudden, major disruption than those without insurance. 

Tags: Ransomware,