Carnival Cruise lines, reeling since the start of the global pandemic, has a new problem. Recently, the company disclosed that they were the victims of a ransomware attack.
Carnival's disclosure was almost frighteningly uninformative. The company gave no clear indication which of their brands was impacted, how widespread the damage was, how many guest records were stolen, or any other useful data points.
Their disclosure reads, in part, as follows:
"On August 15, 2020, Carnival Corporation and Carnival plc (together, the "Company," "we," "us," or "our") detected a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The unauthorized access also included the download of certain of our data files.
...we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies."
Several companies reached out to Carnival for additional information but all received the following stock reply:
"We are not planning to discuss anything beyond the 8k filing at this point since it is early in the investigation process."
On the face of it, that seems reasonable, and yet, this is not the first time we've seen a company fall victim to such an attack. When they do, their disclosures are categorically more informative than the one Carnival made.
Independent security researchers have jumped into the fray and begun their own investigations and researchers from the company "Bad Packets" discovered that Carnival has a number of Citrix servers that were vulnerable to CVE-2019-19781 and CVE-2020-2021.
Both of these vulnerabilities would have allowed an attacker easy access to the company's network. Worst of all, the first issue has had a patch available since January 2020, and the second was patched in June of this year (2020).
If those issues prove to be the way the attackers gained access to the system, then this attack was essentially a self-inflicted wound. We'll know for sure in time. In the meantime, if you've been on a Carnival cruise at any time, keep a sharp eye on the payment cards you used to book the trip. You may have trouble heading your way.