Carnival ransomware attack affected three brands

Carnival Corporation has disclosed that an Aug. 15 ransomware attack accessed the personal data of guests and employees of Carnival Cruise Line, Holland America Line and Seabourn. However, Carnival said there is a "a low likelihood of the data being misused."

The group said: “While the investigation is ongoing, early indications are that in early August the unauthorized third party gained access to certain personal information relating to some guests, employees and crew for three of the corporation’s brands – Carnival Cruise Line, Holland America Line and Seabourn, as well as casino operations.”

“While how the third party gained unauthorized access has not been disclosed, this is yet another example of the importance of proper investment in cybersecurity programs to protect company and customer data," says Terence Jackson, Chief Information Security Officer at Thycotic. "Attackers are not taking it easy during the pandemic. They are stepping the attacks up and we have to be ready.”

According to Caroline Thompson, Head of Underwriting at Cowbell Cyber, ransomware is now targeting all industries and evolving into a new form of data breach as criminals not only ‘steal access’ by placing a bounty to regain access to data and assets, but also threaten to steal the data itself.

"Moving forward, businesses should evaluate cyber insurance for every coverage and assistance that the policy might provide prior, during and after a cyber incident," Thompson adds. "Insurance underwriters should refine their risk assessment approach by collecting data that accounts for today’s new work-from-home model and also demand access to cloud configurations (inside-out data) to refine their risk selection. Furthermore, they should potentially decline coverages if security best practices, such as multi-factor authentication (MFA) are not implemented. Coverages addressing social engineering incidents and ransomware should be revised with clear definitions on included or excluded devices and adequate limits. Insurance offerings should be built using data, artificial intelligence (AI) and continuous underwriting – ingesting new data in real-time and rapidly respond to today’s ever-changing threat landscape. The increased complexity in cyber insurance makes it a good time for policyholders to consider a standalone cyber policy that brings clarity into what’s covered or not, and provides adequate limits.”

Steve Durbin, Managing Director of the Information Security Forum, notes that organizations should rethink their defensive model, particularly business continuity and disaster recovery plans to protect against the scale and scope of these types of threats. "Established plans that depend on employees being able to work from home, for example, do not stand up to an attack that removes connectivity or personally targets individuals as a means of dropping ransomware into the corporate infrastructure. Revised plans should cover threats to periods of operational downtime caused by attacks. Creating a cyber-savvy workforce that takes information security seriously, while nurturing a culture of trust, will help to eliminate poor security practices as well as diminish the number and scale of incidents,” Durbin says.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.