This week (18/08/20) it has been reported that British-American cruise operator, Carnival has been the victim of a ransomware attack, which has likely resulted in a major data breach. The attack was discovered on 15 August 2020 and promptly reported. The ransomware attack accessed and encrypted a part of one of its brand’s IT systems. Carnivals portfolio of global cruise brands includes Carnival Cruise Line, Holland America Line, Princess Cruises, P&O Cruises (Australia), P&O Cruises (UK), Seabourn, Costa Cruises, AIDA Cruises, and Cunard. It is unclear which brand was attacked. Personal data of its staff and customers could be at risk. Cyber criminals managed to download several of its data files which could lead to a double extortion attack. It has been suggested that many organisations systems may have recently been exposed due to home working.
However, this is not the first time data has been breached. It was reported that in the first six months of 2019 data breaches exposed 4.1 billion compromised records, which was before mass home working due to Covid-19.
Since May 2018, the risks of a data breach increased enormously with the introduction of the General Data Protection Regulations (GDPR), which was applied into UK law with the Data Protection Act 2018. Companies can now be fined a maximum of ‘20 million Euros or 4% of the undertakings total annual worldwide turnover in the preceding financial year, whichever is higher.’
Since the GDPR the Information Commissioner’s Office (ICO) has threatened British Airways with a £183 million fine for a data breach of 380,000 people’s financial and personal details between August and September 2018. Although, it has been recently reported in the news that British Airways expects to pay £20 million, a reduction of almost 90%. We shall have to wait and see what fine is actually paid.
More recently easyJet announced it suffered a cyber-attack in January 2020 which breached personal details of around nine million customers. About ten thousand of those customers have joined a group action personal data claim led by law firm PGMBM.
All this highlights how important it is for all businesses to adequately protect its clients’ data. It is important to protect all ‘smart’ devices as hackers only need to find the weakest link to gain access as most devices are connected to each other.
Cyber-attacks can come in the form of fraudulent emails trying to extract security information known as phishing. Phishing emails can also contain malicious software which once downloaded can infect a computer. It could be a bot which secretly runs in the background and allows remote access. Several bots will form a botnet that can then be instructed to perform synchronised tasks. An innocent looking program may contain a trojan that gathers information, intercepts messages, or installs a back door to allow remote access. Ransomware can encrypt the files on a device. The victim is then blackmailed to pay money to receive the key that decrypts the files. Ransomware can be so sophisticated that reverse engineering is not possible. If the files are not duplicated elsewhere, the only way to retrieve them is with the virtual key. Europol has stated that ransomware was the top cyber threat in 2019, which provides an easy stream of income for cybercriminals. In 2017 a web hosting firm in South Korea payed a one-million-dollar ransom.
The advancements in technology comes with great opportunity but it also comes with risk. It has been predicted that cybercrime will cost the world six trillion dollars annually by 2021. Businesses of all sizes need to seriously consider their cyber vulnerabilities and do all they can to protect themselves, or risk paying a heavy price.