Two units of cruise operator Carnival Corp. disclosed that they were the targets of a cyber attack, which they identified in May 2019. 

According to Reuters, Holland America Line and Princess Cruises, both units of Carnival Corp. said their investigation revealed unauthorized third-party had access to personal information, including mail accounts, names, Social Security numbers, and credit card information of some guests and employees.

According to Carnival Corp.'s website, the company employs over 120,000 people worldwide and its 10 cruise line brands attract nearly 11.5 million guests annually, which is about 50 percent of the global cruise market: combining more than 225,000 daily cruise guests and 100,000 shipboard employees, more than 325,000 people are sailing aboard the Carnival Corporation fleet every single day, totaling about 85 million passenger cruise days a year. 

One may question why Carnival Corp. just disclosed the cyber attack, as opposed to disclosing it back in May 2019. Charles Ragland, security engineer at Digital Shadows, tells Security Magazine, that, "Law enforcement may request companies not disclose a breach publicly while an investigation is ongoing. Depending on the kind of information that was accessed, there could be specific laws that require steps to be taken to disclose the breach. This is typically the case when it is financial or medical data. There are currently no national standards in place for breach disclosure timelines in the U.S., so companies have to navigate the regulations that each state has in place," 

"Phishing is one of the most effective and common attack methods used against an organization because it includes the chance for user error," says Ragland. "Everyone has clicked on a vague, suspicious email at some point in their life, security professionals included. Phishing emails are designed to prey on curiosity, goodwill and often include a sense of urgency to make the victim want to help the sender as fast as possible. From an attacker's point of view, why waste time trying to find an exploit to get onto a network when a user can just install it for you?"

Ragland notes that employee training can be a reliable method to stop or mitigate attacks. "Training employees to be wary of emails that are unexpected or show signs of phishing is one of the top ways to reduce your attack surface. Phishing is effective and by reducing the risk you face (it won't ever be eliminated), you require attackers to increase their efforts to gain access to your systems. For many attackers, they are simply looking for the low hanging fruit, and may not be interested in the extra effort involved in escalating from spraying phishing emails to a more targeted attack against an organization," he says. 

"GDPR has several categories that are used to determine the level of fines an organization may face. These include the nature of the breach, the intent, were mitigations taken, were preventative measures taken prior to the breach, what type of data was involved, and was the organization certified by a body stating they were following standards, among other things," Ragland adds. "These factors help decide if the fine is split into lower level (up to 10 million euros or two percent of worldwide annual revenue) or upper level (up to 20 million euros or four percent of worldwide annual revenue).CCPA is similar to GDPR for assessing how fines will be levied but allows consumers to pursue litigation if someone gets unauthorized access to their data. One of the provisions that allow suits to take place on that basis include a lack of reasonable security procedures."

Lisa Plaggemier, Chief Strategy Officer at MediaPro, also iterates the need for employee training. "Why is training employees on phishing emails so important? The vast majority of attacks come through phishing emails.  It’s not all the “Nigerian Prince” any more.  Rather than being full of bad graphics and awkward English, the bad guys are using graphic artists and native speakers to produce more convincing emails that are harder to detect," she says. "They’re also using compromised email accounts to send email directly from a legitimate account, instead of a spoofed address, make those very hard to recognize as phish.  Training needs to be engaging and current – keeping up with the bad guys is critical, and employees need help to do that.  These days, it’s careless not to train your employees."