Carnival takes remedial action after cyber breach

The cruise shipping group detected a ransomware attack on 15 August on one of its (unnamed) brands and informed the US Securities and Exchange Commission.

Ransomware “accessed and encrypted a portion of one brand’s information technology systems” said Carnival.

During this unauthorised access, data files, including information on passengers and seafarers, were downloaded.

This setback comes as Carnival is trying to tackle a severe downturn in cruise shipping due to the coronavirus pandemic.

Once the ransomware was detected, Carnival worked with cyber security firms to defend its information technology systems and conduct remedial action, implementing a series of containment and remediation measures to address the situation and reinforce the security of its information technology systems.

It has also “launched an investigation, notified law enforcement and engaged legal counsel and other incident response professionals”, Carnival said.

Based on its preliminary assessment and on the information currently known, Carnival “does not believe the incident will have a material impact on its business, operations or financial results”.

However, it expects potential consequences from the unauthorised access to personal data of guests and employees, and is planning for them. “This may result in claims from guests, employees, shareholders, or regulatory agencies,” said Carnival in a statement.

It is not ruling out the possibility other brands could be adversely affected by this intrusion. But there is no evidence to date that other Carnival brands have been impacted by this incident, based on its ongoing investigation.

Carnival’s cyber incident comes less than two weeks after shipping industry experts discussed the severity and frequency of these types of attack during Riviera Maritime Media’s Maritime Cyber Security Webinar Week. Representatives from security, law, insurance, institutes and classification societies collectively underscored the ongoing threats and potential consequences of cyber breaches.

During one of the webinars, Neptune Cyber chief executive Gwilym Lewis explained that the frequency of successful attacks was increasing.

“Successful maritime attacks are happening on a regular basis, even if they are not openly reported,” said Mr Lewis. Therefore, “companies need good emergency recovery” he said, adding these plans need to cover many possibilities. “Plans should assume the worst,” he said.

Because of the constant changes in attack vectors and vulnerabilities, response plans need to be flexible and adjustable. “Response plans need to be living and breathing documents,” Mr Lewis said. “They must be constantly updated as cyber threats evolve on a daily basis, vessel systems and technology get upgraded, thus plans need to keep pace, too.”

Norton Rose Fulbright partner Philip Roche agreed there were increasing threats and shipping companies needed to “consider risk management and cyber attack recovery.”

Most reported cyber attacks have focused on company IT systems, servers and customer portals. These attacks could lead to lost data, disrupted operations, “loss of hire, reputation and business” said Mr Roche.

But there is a risk these could migrate to ships’ IT and operational technology (OT), said ClassNK cyber security team deputy manager Makiko Tani.

“Ships today are increasingly leveraging cyber space, and OT is more connected with IT and communications; these bring new vulnerabilities,” she said.

Therefore, shipowners, operators and managers need a better understanding of onboard OT and the required cyber risk controls. “Know how your ships are designed and protected,” Ms Tani said. “Be aware of the onboard OT and IT, and where these meet.”

Beazley senior risk manager Kelly Malynn said part of this understanding was conducting assessments of servers, IT systems and ship OT to cyber threats

“Risk assessment quality is important,” she said. “Owners need to invest in this to mitigate risk.” Ms Malynn urged shipping companies to separate IT systems into subnetworks as this “makes it harder for an adversary to gain access to essential systems and equipment”.

Willis Towers Watson executive director and cyber insurance specialist Andrew Hill said shipping should not underestimate threat risk or the consequences.

“Do not be a victim of ignorance,” he said. “You should take preventative steps for risk mitigation.”

In another webinar, port operators were also warned about the risk of cyber threats to their operations and data servers.

Law firm McDermott, Will & Emery partner Paul Ferrillo said all ports and terminals are in the firing line of cyber attackers. “If you have data, you are a target,” he warned. “You will be attacked and breached – you may already be breached, but may not know it.”

University of Plymouth, Faculty of Science and Engineering lecturer in cyber security Kimberly Tam said would-be hackers could be snooping inside servers undetected. “Hackers would need a lot of reconnaissance of maritime and port servers,” she explained. “We are unable to see who is inside these networks.”

Cyber risk management specialist group, Maritime Transportation System ISAC, executive director Scott Dickerson said port operators need to understand their vulnerabilities and ensure they are prepared. “People need to be aware of the threats. It is not just a technology challenge,” said Mr Dickerson. Some of the solutions for cyber security is to train people to be alert and detect threats. Cyber security is also about having the correct processes in place.

Carnival is the latest shipping company to report a cyber security breach. Earlier this year, Toll Group, Mediterranean Shipping Company (MSC), Anglo-Eastern and OSM Maritime Group also reported security incidents.

Australian transportation and logistics company Toll Group had to shut down its IT systems and key customer portal in response to a ransomware attack in May. It then cleansed its servers to prevent data being stolen. That was Toll’s second security breach this year as it was a victim of ransomware in February 2020.

In April, MSC’s data centre was subjected to a malware attack. This led to it closing its customer-facing portal, myMSC, for nearly a week. MSC confined this interference to a limited number of physical computers at its Geneva headquarters.

Cyber threats are not just confined to shipowners. Shipmanagement group Anglo-Eastern suffered a ransomware attack to its IT systems in May, just a month after it moved offices to new premises in Kowloon, Hong Kong.

Anglo-Eastern had to quarantine, check and make each workstation and server safe before they could be returned to operation. This took a number of days as it had 1,850 workstations and 200 servers to check.

Also in May, OSM Maritime Group was a victim of an IT-related incident and had to disconnect several of its servers. OSM had to contain the ransomware, mitigate its impact, remove the threat and recover following the attack. It then enhanced its cyber security safeguards to prevent recurrence.

If you missed Riviera’s Maritime Cyber Security Webinar Week, these webinars can be reviewed in Riviera’s webinar library, using this link.