Carnival Cruises bruised by $6.25 million fine after series of cyberattacks

Carnival Cruises, the world’s largest travel leisure firm which operates over 100 ships for millions of vacationing customers, has been fined a total of $ 6.25 million following a series of security mishaps.

Between April and July 2019, Carnival suffered a data breach that saw unauthorized parties gain access to information about 180,000 employees and customers.

As The Record reportsthe hackers were able to break into employees’ email accounts, which allowed them to send convincing-looking phishing emails and gave them access to an alarming amount of sensitive data.

Details exposed included guests’ names, addresses, social security numbers, passport or driving license details, credit card and financial account information, and health-related information.

The company did not notice suspicious activity on its network until late May 2019 (the breach continued, by Carnival’s own admission, until July 23 2019), and the data breach only made public in March 2020 – ten months later.

An investigation determined that employees’ email accounts were not hardened with multi-factor authentication.

Clearly, that would have been bad in itself, but some months later Carnival discovered that it had fallen foul of hackers again.

On August 15 2020, Carnival detected that it had suffered a ransomware attack that saw cybercriminals encrypt some of the data on its network, and once again exfiltrate sensitive personal information about customers and employees.

That’s clearly not the kind of news anyone wants to hear from their employer or the company that’s taking them on vacation.

To its credit, on this occasion, the cruise ship company went public about the attack within just a couple of days and took steps to contain and remediate the security breach with the help of external experts.

At the time, in a regulatory filingthe corporation warned that the unauthorized data access might lead to claims from guests, employees, shareholders, and others.

That warning has now clearly come true.

As The Register reportsCarnival has agreed to pay penalties totaling $ 6.25 million for its failure to properly secure data.

Carnival has committed to providing better cybersecurity training for its employees, putting better password security practices in place, improving its email defenses, and enabling multi-factor authentication for those accessing their corporate email remotely.

Source

Carnival Cruises, the world’s largest travel leisure firm which operates over 100 ships for millions of vacationing customers, has been fined a total of $ 6.25 million following a series of security mishaps.

Between April and July 2019, Carnival suffered a data breach that saw unauthorized parties gain access to information about 180,000 employees and customers.

As The Record reportsthe hackers were able to break into employees’ email accounts, which allowed them to send convincing-looking phishing emails and gave them access to an alarming amount of sensitive data.

Details exposed included guests’ names, addresses, social security numbers, passport or driving license details, credit card and financial account information, and health-related information.

The company did not notice suspicious activity on its network until late May 2019 (the breach continued, by Carnival’s own admission, until July 23 2019), and the data breach only made public in March 2020 – ten months later.

An investigation determined that employees’ email accounts were not hardened with multi-factor authentication.

Clearly, that would have been bad in itself, but some months later Carnival discovered that it had fallen foul of hackers again.

On August 15 2020, Carnival detected that it had suffered a ransomware attack that saw cybercriminals encrypt some of the data on its network, and once again exfiltrate sensitive personal information about customers and employees.

That’s clearly not the kind of news anyone wants to hear from their employer or the company that’s taking them on vacation.

To its credit, on this occasion, the cruise ship company went public about the attack within just a couple of days and took steps to contain and remediate the security breach with the help of external experts.

At the time, in a regulatory filingthe corporation warned that the unauthorized data access might lead to claims from guests, employees, shareholders, and others.

That warning has now clearly come true.

As The Register reportsCarnival has agreed to pay penalties totaling $ 6.25 million for its failure to properly secure data.

Carnival has committed to providing better cybersecurity training for its employees, putting better password security practices in place, improving its email defenses, and enabling multi-factor authentication for those accessing their corporate email remotely.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!