- Hackers managed to encrypt “a portion” of IT systems and also downloaded certain data files.
- Company believes no other information technology systems of other company’s brands have been impacted by this incident.
- Carnival implements a series of containment and remediation measures to address the situation and reinforce security of its systems.
Dubai: British-American cruise operator Carnival has disclosed in an SEC filing that that one of its brands suffered a ransomware attack on August 15, in which guest and employee data were accessed.
The 8-K form filed with the Securities and Exchange Commission (SEC) did not indicate the ransomware operation that compromised their network.
Hackers managed to encrypt “a portion” of one of their brands IT systems and also download certain data files, although Carnival refused to elaborate on which company had been hit.
Carnival is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually and operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn.
While the investigation of the incident is ongoing, Carnival has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems.
It is working with industry-leading cybersecurity firms to immediately respond to the threat, defend the company’s information technology systems and conduct remediation.
“We expect that the security event included unauthorised access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies.
Carnival said that it has notified law enforcement, engaged legal counsel and hired incident response professionals who have helped to implement containment and remediation measures.
“Although we believe that no other information technology systems of the other company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other company’s brands will not be adversely affected,” it said.
The company doesn’t see any material impact on business, operations, or financial results.