- Carnival Corporation detected a ransomware attack on "a portion of one brand's information technology systems" on Saturday, according to an SEC filing Monday. The company has enacted containment measures alongside cybersecurity firms to remediate the intrusion.
- While the investigation is ongoing with legal counsel, law enforcement and incident response individuals, the company "does not believe the incident will have a material impact on its business, operations or financial result," according to the filing.
- The attackers downloaded "certain" data files, which Carnival expects to include the "personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies." While initial investigation suggests the intrusion was limited to one brand, "there can be no assurance" other Carnival brands' IT systems "will not be adversely affected," according to the filing.
The travel and hospitality industry was hit hard economically by the pandemic. Carnival's delayed operations have racked up a $650 million "monthly average cash burn rate" for the second half of 2020, according to a company filing in June.
Bad actors are latching onto industries economically stressed by the pandemic. "Attackers tend to take the path of least resistance," said Anurag Kahol, CTO and co-founder of Bitglass. Industries economically bruised by COVID-19 can expect bad actors to take advantage of "company leaders [that] are distracted, trying to right the ship."
Carnival Corporation, with global corporate headquarters in Miami, halted U.S. operations through Oct. 31, though the company was rallying behind a Sept. 6 resumption date for its Germany-based AIDA Cruises. Carnival's portfolio includes:
- Carnival Cruise Line
- Princess Cruises
- Holland America Line
- P&O Cruises (Australia)
- Costa Cruises
- AIDA Cruises
- P&O Cruises (UK)
The initial assessment of the intrusion and known evidence, "in particular, that the incident occurred in a portion of a brand’s information technology system," Carnival doesn't expect significant monetary loss. However, intruders might have unlawfully accessed and encrypted customer and employee records (the type of information has yet to be disclosed).
"Employer liability for breaches of employee information varies by state, with states like California leading the charge in terms of data privacy laws," said Kahol. Even when a company uses employee data for commercial purposes, including recruiting, there are legal safety nets for employees.
Enforcement for the California Consumer Privacy Act began on July 1, but unless there's a private civil lawsuit filed against a company, personal data relating to employment is exempt from the law until Jan. 1, 2021. The amendment to the CCPA, passed in October, includes aggregated employee data, or "records that have been deidentified," according to the amendment.
In a civil lawsuit, arguing against a company's "reasonable security procedures," means "a company could be in hot water if it was proven there was negligence related to their security practice," said Daniel Barber, co-founder and CEO of DataGrail.
If Carnival's ransomware attack is concluded as negligent and a result of insufficient security protocols, the company "could face fines for their employee data," said Barber. A spokesperson for Carnival Corporation declined to further comment.