Floating COVID incubation tank becomes data-leaking ransomware rustbucket: Carnival admits crims made off with personal data booty
Plus: Cali uni that paid $1.4m to crims had decent backup software, but they didn't use it on the affected systems
The cruise ship industry is all but shuttered worldwide because the floating hotels are a great way to contract coronavirus. And now the industry's biggest player, Carnival Corporation, has also come down with a case of ransomware.
The company on Tuesday issued a regulatory filing [PDF] in which it admitted: "On August 15, 2020, Carnival Corporation and Carnival plc... detected a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The unauthorized access also included the download of certain of our data files."
The filing also reveals that the company expects "that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies". The filing also said Carnival can't be completely sure that the incident did not hit more than one of its brands (it has at least 10).
The company was at least able to act quickly and did not cover things up, as shown by the statement emerging two days after the attack was detected and detailing containment and remediation efforts. The document also said Carnival has called the cops, hired lawyers, and brought in white hats to get to the bottom of the mess.
Perhaps ironically, the filing includes a section titled "Cautionary Note Concerning Factors That May Affect Future Results", which includes the boilerplate observation: "Breaches in data security and lapses in data privacy as well as disruptions and other damages to our principal offices, information technology operations and system networks... may adversely impact our business operations, the satisfaction of our guests and crew and lead to reputational damage."
Which, like a stopped watch, has now been proven correct. ®