Carnival Corporation has confirmed that its IT systems have suffered a ransomware attack, with the attackers gaining access to data files on the company’s systems and locking down parts of the network.
The company made a statement to the US Securities and Exchange Commission on August 17 disclosing the incident, which had taken place two days earlier, noting its response and immediate engagement with law enforcement and cybersecurity experts on the matter. Carnival did not disclose which of its cruise shipping brands had been the victim of the breach.
“On August 15, 2020, Carnival Corporation and Carnival plc detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files,” Carnival said.
“Promptly upon its detection of the security event, the Company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals.”
“While the investigation of the incident is ongoing, the Company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems. The Company is working with industry-leading cybersecurity firms to immediately respond to the threat, defend the Company’s information technology systems, and conduct remediation.”
A preliminary assessment of the attack suggest that the incident occurred within a portion of one of Carnival’s brands’ information technology systems, and as such was not of a scale to create a material impact on the Group’s business. However, the company did note that it expects that the attackers did gain unauthorised access to personal data of guests and employees, and that claims from guests, employees, shareholders, or regulatory agencies could potentially follow.
“Although we believe that no other information technology systems of the other Company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company’s brands will not be adversely affected,” Carnival added.