Cruise provider Carnival confirms ransomware attack with data exfiltration

[German]The shipping company Carnival, provider of cruises, has now confirmed an attack with Ransomware. It was also admitted that data of employees and probably also customers of the cruise line were stolen in this attack.


Carnival Corporation is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard and its luxury cruise line Seabourn.

Ransomware attack in August 2020

I have had addressed this attack briefly within my German blog post Sicherheit: Hacks und Ransomware, die neue Bedrohung. The Carnival Corporation had reported this successful attack on its own IT to the authorities. "On August 15, 2020, Carnival Corporation and Carnival plc (the "Company") discovered a ransomware attack that accessed and encrypted a portion of a brand's information technology systems. The unauthorized access included downloading some of our data files," the Company stated.

In my blog post, I had also provided the following information: According to Bad Packets, a cyber security service provider, Carnival uses vulnerable gateway devices that allow an attacker to gain access to a corporate network. The vulnerability might be the CVE-2019-19781 vulnerability in Citrix ADC (NetScaler). The devices have been subject to a warning and firmware update since December 2019 and are known to be exploited (see PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781). The other vulnerability, CVE-2020-2021, is in the Palo Alto Networks firewalls and allows unauthenticated network-based attackers to bypass authentication. This vulnerability was patched in late June 2020 (see Alert: Patch CVE-2020-2021 (in Palo Alto Networks products)).

Data theft confirmed

Now I became aware of another article by Bleeping Computer via the following tweet. Carnival Corporation now confirms that personal data was leaked during the ransomware attack. 

Ransomware Carnival Corporation


In a statement to the U.S. Securities and Exchange Commission (SEC), Carnival Corporation confirmed that unknown cyber criminals gained access to personal information about customers and employees during the ransomware attack. The discovery was made during an investigation. This investigation was led by a large cyber security firm. This company had been hired by the carnival after the incident on August 15. The company also informed the data supervisory authorities and the relevant law enforcement agencies.

"While the investigation is still ongoing, there are early indications that the unauthorized third party has gained access to certain personal information of some guests, employees and crews for some of our operations," Carnival writes in the SEC filing. "At this time, there is no evidence of abuse of this information. Although we do not believe at this time that this information will be misused in the future or that this incident will have a material adverse effect on our business, operations or financial results, we cannot make any assurances and, in addition, we may be subject to future attacks or incidents that could have such material adverse effect."

Similar articles:
German Software AG victim of Cl0p ransomware, data leaked
Ransomware grounds French shipping company CMA CGM S.A.
Cyber-Angriff mit Ransomware auf US-Klinikbetreiber UHS
Ransomware attack in German hospital ends deadly for a women – blame Shitrix vulnerability

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.