Carnival Cruises have disclosed a data breach after attackers gained access to customers’ personal information.
Carnival Cruises have disclosed a data breach after attackers gained access to customers’ personal information.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Just as cruisers are starting to book trips after a long shutdown due to COVID-19, Carnival is facing yet another cybersecurity issue. The type of data and the sheer volume of it being collected by Carnival can be very valuable to attackers, so it is no big surprise they have been a target. Most large cruises, by their very nature, tend to visit ports in foreign countries, so they must collect sensitive information to be used for customs preparation and other purposes related to the travel. This includes social security numbers, passport numbers, full names, addresses, phone numbers and much more — all data that could be easily used to steal identities or open accounts in potential victims\’ names.</p> <p> </p> <p>These types of attacks are often started through email phishing attacks, so organizations that wish to avoid the same issues as Carnival would be wise to invest in high-quality email filtering and an employee training program focused on spotting email phishing attacks and proper password hygiene. In addition, investing in DLP (Data Loss Prevention) solutions and enabling 2FA (Two-Factor Authentication) on accounts would be wise as well</p>
<p>This is Carnival\’s third major cybersecurity incident in 12 months. At this point, I would be extremely hesitant to trust the company with my personal information. As these attacks become a pattern instead of isolated incidents, I have to wonder whether Carnival is really prioritizing cybersecurity or if it\’s just an afterthought. </p> <p> </p> <p>Carnival\’s stock price hasn\’t significantly suffered from any of its three recent data incidents. If shareholders continue to profit from the status quo, it\’s unlikely the company will invest in better cybersecurity technology and talent.</p> <p> </p> <p>More on how data breaches affect stock market share prices: <a href=\"https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/\" target=\"_blank\" rel=\"noopener noreferrer\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/&source=gmail&ust=1624100771543000&usg=AFQjCNEJ7KtBNG9JEbhb-_BLvwIaKuReaQ\">https://www.<wbr />comparitech.com/blog/<wbr />information-security/data-<wbr />breach-share-price-analysis/</a></p>
<p>It is great that the company noticed the incident and could reach out to their affected customers and staff. It is of course more concerning that email has been used as a means of storing and processing those rather sensitive sets of data, we are years past GDPR and other privacy legislations, and email may be the form of communication chosen by customers to submit their personal data, but it is essential that this data should not be retained in those systems in unstructured manners for extended periods of time.</p>
<p>The travel industry, already hit hard by the pandemic, are now reopening to an expanding and evolving cyber threat landscape. This is the <a href=\"https://www.securitymagazine.com/articles/93639-carnival-ransomware-attack-affected-three-brands\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.securitymagazine.com/articles/93639-carnival-ransomware-attack-affected-three-brands&source=gmail&ust=1624100771527000&usg=AFQjCNGXH2DxFqp0TDTVA2Gvd4vvX0twGA\">second cyberattack in the last year</a> on Carnival Corporation and unsurprising as the tourism industry’s vulnerabilities continue to be exploited. The travel industry tends to rely on third-party vendors, such as booking portals and online platforms, making them an easy target for hackers seeking sensitive data. This breach serves as a reminder that all organizations must put preventative measures in place to protect themselves and their customers. Organizations can begin this process by building a comprehensive Trust & Security program that focuses on building an internal “Security First” culture, as well as the processes and technology controls used to protect the data they, or other 3rd parties, process and store. By making security a central component of the business and using a data-centric approach, organization’s can protect their business against costly, possibly detrimental, breaches.</p>
<p>It’s concerning to see that Carnival Cruises has suffered another data breach, following two ransomware attacks last year. Email remains the most common entry point for attackers, underlining the need for organisations to put in place the right technology to defend their employees from the targeted phishing attacks that are the most convincing and do the most damage.</p> <p>The hackers were able to access a significant amount of personal data about Carnival’s customers, including names, addresses and passport numbers. Concerningly, this information could now be used by cybercriminals to formulate sophisticated phishing attacks targeting Carnival Cruises customers.</p> <p>In light of this, I would urge any Carnival Cruises customers who have been affected by this breach to be wary of any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may be highly convincing, utilising personal information accessed through this data breach to trick people into parting with further personal data that can be used for identity or financial theft.</p>