Adding insult to injury for cruise ship company Carnival Corporation (Carnival) following the hit from the pandemic to the travel industry as well as a class action lawsuit relating to the Diamond Princess’ fate during the pandemic, Carnival disclosed in its August 17, 2020 8-K filing that it recently  experienced a ransomware attack. According to reports, Carnival disclosed that the successful attack accessed and encrypted a portion of its IT systems and the attackers demanded a ransom to provide the encryption key. A double whammy for a company that has been hit hard by the pandemic. It reiterates that cyber criminals just don’t care if you are down on your luck and will hit victims whenever they can.

It also is reported that Carnival has confirmed that the attackers exfiltrated and downloaded some of its data, which may have included the personal information of customers and employees. Unfortunately, if the attackers were Maze or ReVIL/Sodinokibi, this may signal that Carnival is in for a second request for ransom if they don’t pay the first one to obtain the encryption key.

Carnival is the largest cruise ship operator in the world, employing over 150,000 individuals. It is estimated that more than 13 million people book a Carnival cruise each year, so depending on the data that were stolen and how long the company stored employee and customer personal information, the incident could involve the data of tens of millions of individuals.

Carnival is in the midst of its investigation and is working with law enforcement and cybersecurity experts. It has stated that the attack has not materially affected its business operations or financials.