Adding insult to injury for cruise ship company Carnival Corporation (Carnival) following the hit from the pandemic to the travel industry, as well as a class action lawsuit relating to the Diamond Princess’ fate during the pandemic, Carnival disclosed in its August 17, 2020, 8-K filing that it was recently hit with a ransomware attack. According to reports, Carnival disclosed that the successful attack accessed and encrypted a portion of its IT systems and the attackers requested a ransom to provide the encryption key. A double whammy for a company that has been hit hard by the pandemic. It reiterates that cyber criminals just don’t care if you are down on your luck and will hit victims whenever they can.

It is being reported that Carnival has confirmed that the attackers exfiltrated and downloaded some of its data, which may have included the personal information of customers and employees. Unfortunately, this may signal that Carnival is in for a second request for ransom if they don’t pay the first one to obtain the encryption key if the attackers were Maze or ReVIL/Sodinokibi.

Carnival is the largest cruise ship operator in the world, employing over 150,000 individuals. It is estimated that over 13 million people book a Carnival cruise yearly, so depending on the data that was accessed and exfiltrated, and how long the company stored employee and customer personal information, the incident could involve tens of millions of individuals’ data.

Carnival is in the midst of its investigation and is working with law enforcement and cybersecurity experts. It has stated that the attack has not materially affected its business operations or financials.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.