Carnival Corporation, largest cruise operator in the world with over 150,000 employees and 13 million guests annually, has been hit with a ransonware attack expsoing data of customers and employees. Cybersecurity experts reacted below.
Carnival hit by ransomware attack, guest and employee data accessed https://t.co/UuIPj4BMwd pic.twitter.com/gHWd2i1uxt
— Reuters (@Reuters) August 18, 2020
We won\’t know the real impact of Carnival\’s breach until the company discloses what information was stolen. The sooner it reveals what customer information was breached, the sooner those customers can take steps to prepare and protect themselves. The longer it waits, the longer cybercriminals will have to launch attacks against affected customers.
This is another case of a company not taking the steps to properly defend their networks against the bad actors of the world. As mentioned by cybersecurity firm Bad Packets, Carnival failed to patch its edge gateway devices and firewalls, even though patches have been available to fix both issues since earlier this year. As for Carnival customers, they will need to keep their eyes open for phishing attempts and other \”attacks\” designed to separate them from their personal information and hard-earned money, as bad actors may attempt to take advantage of the data gleaned from this attack and the data breach that occurred earlier this year.
Attackers move swiftly to exploit critical vulnerabilities. Any organization that is not equipped to locate and patch vulnerable systems in under a week is at a significant risk of compromise from organized hacking groups. Once the network perimeter is breached, it can take skilled hackers little more than a few hours to gain complete control of the victim’s internal network and deploy their ransomware. Victims are left with the choice to either pay the cybercriminals extortion demands or attempt to recover operations on their own. Often compromised organizations discover that even if the attackers did not delete their backups that paying the ransom is both cheaper and faster than attempting recovery on their own. The unfortunate fact is that the normal recovery process while functional for recovering the occasional failed system completely fails to work when needing to recover hundreds or thousands of systems at once.
Carnival states that they detected the ransomware attack on August 15th, but it’s likely that the attackers had access to their network and data for weeks or months prior to searching and exfiltrating any sensitive data they could find.
Organizations seeking to protect themselves from ransomware attacks must adopt a culture of security that includes regularly scanning for serious security holes and patch within a week’s time, ensuring that internal controls and monitoring exist to quickly detect and limit a potential attacker’s access, and ensuring that any recovery operations are effective at a mass scale.
This is just another example of how ransomware continues to wreak havoc on organizations of all size across most any industry. In this case, unfortunately the strain is one of the newer types that exfiltrates data prior to encrypting the files. In these cases, the data exfiltration is often worse than the file encryption component as encrypted files can be restored from a backup, but once the data is exfiltrated, it cannot be undone. This one-two punch of data exfiltration and denying access through encryption is only getting worse and resulting in higher ransom demands than ever before. It is important to understand that once the data leaves the organization’s control, unless the data exfiltrated was encrypted by the organization before it was taken, the organization must treat this as a data breach even if they pay the attackers not to publicly release the data. Make no mistake, just because the data is not leaked to the public, it does not mean it will not be sold on the dark web. Carnival is understandably withholding statements at this time as they work to find out the extent of the incident and the potential impact to customers or the organization, a process that does take time. I am hopeful that Carnival will share the information discovered during the investigation, even if it is through an anonymous data sharing entity, in order to help other organizations protect themselves from these types of attacks.
The Carnival data breach is particularly nasty as the hackers have gained access and stolen the ‘holy grail’ of information, including personal details, credit cards and social security numbers; all the essentials to perform some pretty nasty identity fraud on its customers. It appears the attackers have used the classic diversion of a ransomware attack to divert attention to the real focus of the attack, which was to steal valuable and sensitive data.
In today\’s security landscape, organisations and their security teams are out gunned by the attackers in terms of resources and skills. Security teams need to spend less time managing the systems and more time addressing the threats. One clear way to do this is using behavioural analytics to spot abnormal behaviour before it causes real problems. Secondly, using automation to allow the security team to focus only on the severe or real threats can further strengthen security posture. These can both help reduce the burden on security teams, bring better visibility and allow them to respond and react faster to attacks.