The world’s largest cruise operator Carnival Corp. & plc has been hit by a ransomware attack and customer data stolen.

The attack, detailed in a U.S. Securities and Exchange Commission regulatory filing Aug. 15, was detected by the company the same day. The unnamed form of ransomware is said to have accessed and encrypted a portion of one brand’s information technology systems and included the download of certain data files.

Carnival did not say which brand was affected. The company operates brands that include Carnival Cruise Line, Costa, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard and Seabourn.

The data stolen included personal data of guests and employees, “which may result in potential claims from guests, employees, shareholders, or regulatory agencies,” the company said.

Carnival noted that it had launched an investigation, informed law enforcement and engaged legal counsel and other incident response professionals. “While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems,” Carnival noted.

Although the company didn’t provide any details of the attack other than the basics, cybersecurity firm Bad Packets LLC told Bleeping Computer that Carnival uses vulnerable edge gateway devices that would allow an attacker to gain access to a corporate network. Those devices include Citrix ADC (Netscaler) devices and Palo Alto Networks Inc. firewalls with known vulnerabilities.

“Fueled by the success of previous ransomware attacks, it’s no surprise the number of ransomware attacks continues to increase, ” Pravin Madhani, chief executive officer and co-founder of next-generation application workload protection platform company K2 Cyber Security Inc., told SiliconANGLE. “While many of these successful attacks come from phishing campaigns, it’s not necessarily the only means. It’s also possible for ransomware to be deployed utilizing exploited vulnerabilities.”

That’s why, he added, organizations need to remain vigilant in their security, not only using phishing detection and training employees to recognize phishing but also making sure they have defenses for all of their applications, data and assets that are internet-facing. “That includes making sure their devices and software are up to date and patched,” he said. “Equally important, organizations need to make sure they vet the security of partners as thoroughly as they vet their own security infrastructure.”

Investors did not take the news well. Carnival has already been hammered this year by the COVID-19 pandemic and resulting downturn in travel. Shares in the company fell today more than 5%, to $14.68. By comparison, Carnival’s 52-week share price high was $51.94.

Image: Carnival