Carnival Corporation Confirms Cyber Attack and Ransomware on Costa and AIDA IT Systems

Feb 09, 2021

Carnival Corporation has confirmed a security breach, admitting to suffering unauthorized access and ransomware attack on two of the company’s brands information technology systems. The so-called ransomware attack on Aida Cruises and Costa Cruises IT systems was published by Carnival Corporation & plc in the 2020 Annual Report on Form 10-K.

The unauthorized access was discovered on December 25, 2020 when AIDAperla and AIDAmar were about to set sail for a New Year's cruises. The attack resulted in cancelation of all AIDA voyages which were scheduled by mid-January. Additional cancellations followed later, and the resumption of cruises has now been postponed to March 2021. Costa Cruises was affected by an IT outage that was preventing guests from booking cruises using their online reservation system.

“On December 25, 2020, we detected a ransomware attack and unauthorized access to our information technology systems affecting two of our brands. We engaged a major cybersecurity firm to investigate the matter and notified law enforcement and applicable regulators of the incident. The incident investigation and remediation phases are in process, but at this time there is currently no indication of any misuse of information. While at this time we do not believe that these incidents will have a material adverse effect on our business, operations or financial results, no assurances can be given and we may be subject to future attacks or incidents that could have such a material adverse effect.” reads Carnival Annual Report regarding the recent ransomware attack.

Carnival noted that breaches in data security and failure to keep pace with developments in technology may adversely impact business operations, leading to reputational damage, and satisfaction of guests and crew.

The Annual reports said that Carnival Corporation “may continue to be impacted by breaches in data security and lapses in data privacy, which occur from time to time. These can vary in scope and intent from motivated driven attacks to malicious attacks intended to disrupt or compromise our shoreside and shipboard operations by targeting our key operating systems. Breach or circumvention of our systems or the systems of third parties, including by ransomware or other attacks, results in disruptions to our business operations; unauthorized access to (or the loss of company access to) competitively sensitive, confidential or other critical data (including sensitive financial, medical or other personal or business information) or systems; loss of customers; financial losses; regulatory investigations, enforcement actions and fines; litigation and misuse or corruption of critical data and proprietary information, any of which could be material.”

Carnival Corp detected another ransomware attack and unauthorized access to its IT systems In 2020. On August 15, 2020, Carnival engaged a major cybersecurity firm to investigate the matter and notified law enforcement and applicable regulators of the incident. Back then Carnival said that the unauthorized third-party gained access to certain personal information relating to some guests, employees and crew for some of our operations.

In late May 2019, Carnival disclosed a separate security breach on the IT network. Upon identifying this potential security issue, the company engaged cybersecurity forensic experts and initiated an investigation to determine what happened, and who was impacted. The outcome of the investigation revealed that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our guests.