Adding insult to injury for cruise ship company Carnival Corporation (Carnival) following the hit from the pandemic to the travel industry, as well as a class action lawsuit relating to the Diamond Princess’ fate during the pandemic, Carnival disclosed in its August 17, 2020, 8-K filing that it was recently hit with a ransomware attack. According to reports, Carnival disclosed that the successful attack accessed and encrypted a portion of its IT systems and the attackers requested a ransom to provide the encryption key. A double whammy for a company that has been hit hard by the pandemic. It reiterates that cyber criminals just don’t care if you are down on your luck and will hit victims whenever they can.

It is being reported that Carnival has confirmed that the attackers exfiltrated and downloaded some of its data, which may have included the personal information of customers and employees. Unfortunately, this may signal that Carnival is in for a second request for ransom if they don’t pay the first one to obtain the encryption key if the attackers were Maze or ReVIL/Sodinokibi.

Carnival is the largest cruise ship operator in the world, employing over 150,000 individuals. It is estimated that over 13 million people book a Carnival cruise yearly, so depending on the data that was accessed and exfiltrated, and how long the company stored employee and customer personal information, the incident could involve tens of millions of individuals’ data.

Carnival is in the midst of its investigation and is working with law enforcement and cybersecurity experts. It has stated that the attack has not materially affected its business operations or financials.