On March 2, Princess Cruises and Holland America Line -- both owned by Carnival Corp. -- announced separately that they were the victim of an email phishing attack in late May 2019. According to the companies' press releases, the deceptive emails were sent to employees which ultimately allowed a third-party to access employee email accounts. Within those accounts were employee and guest information, including: names, Social Security numbers, government identification numbers, such as passport numbers, national identity card numbers, credit card and financial account information, and health-related information.
This is a breaking news story and more information will be added as we get it.
According to their respective press statements, "The company notified law enforcement of the incident and are notifying affected individuals where possible. While there is currently no indication of any misuse of this information, credit monitoring and identity protection services will be provided free of charge to give those affected peace of mind."
This announcement comes nine months after the breach occurred, following a pattern within the hospitality industry of announcing data breaches long after they've taken place. This delay could be directly tied to the amount of compromised information.
"Depending on the number of compromised email accounts and volume of emails and attachments contained in those accounts, identifying whose personal information is in those accounts may be a lengthy process," explains Elizabeth Harding, shareholder at Polsinelli law firm.
According to Harding, Carnival would have likely retained a forensic firm to conduct an investigation into the incident that would have included identifying which email accounts were compromised, which emails and attachments included personal information, and which individuals were mentioned in those emails. Once identified, a notification list of those individuals would need to be created and mailing addresses would need to be located so that notifications could be mailed to those impacted individuals. Notification letter templates would need to be created and a notification mailing vendor and call center would need to be retained before the notification letters were sent. All of which can take a great deal of time.
But there could be another reason why Carnival delayed notifying the public.
"Law enforcement may request companies not disclose a breach publicly while an investigation is ongoing," explains Charles Ragland, security engineer at Digital Shadows. "Depending on the kind of information that was accessed, there could be specific laws that require steps to be taken to disclose the breach. This is typically the case when it is financial or medical data. There are currently no national standards in place for breach disclosure timelines in the U.S., so companies have to navigate the regulations that each state has in place."
Phishing Emails Remain Effective
Princess Cruises and Holland America Line both wrote in their respective statements about the incident that deceptive emails were sent to employees which ultimately allowed criminals to access the sensitive data. Employees were likely targeted by phishing emails which are becoming more and more sophisticated with every passing day. While Carnival has not released the nature of the phishing emails, there are some likely possibilities.
According to Chris Hazelton, Director of Security Solutions at Lookout, the cruise industry has a lot of mobile-centric employees using smartphones or tablets to communicate with each other. The smaller screens combined with employees who are rushing to meet customer needs "create an ideal opportunity for phishing" especially if the phishing emails mimic the company's own internal websites or apps, easily tricking employees into giving up their work credentials.
It's also possible that the phishing emails were actually sent from a trusted employee account before anyone realized it was compromised, says Bruce Radke, shareholder, Polsinelli law firm.
"The threat actor may have compromised the other account and watched the email traffic flowing through the account," Radke notes. "As a result, the threat actor is able to identify potential targets and use the language of the user whose account is compromised. Given that the phishing email comes from a trusted sender and may mimic the sender’s language, it is increasingly difficult for the recipient to recognize that it is a phishing email being sent by a threat actor."
Employees Require Continuous Training
Human beings, unfortunately, are often the weakest link when it comes to cyber security. For this reason, it becomes imperative that all business invest in security training for their employees - especially when it comes to phishing emails. Why?
"The vast majority of attacks come through phishing emails," says Lisa Plaggemier, Chief Strategy Officer, MediaPro. "Training needs to be engaging and current – keeping up with the bad guys is critical, and employees need help to do that. These days, it’s careless not to train your employees."
"Research shows that, on average, 30 percent of an organization’s employees will, prior to training, fall for a planted phishing scam," says Kristen Menard, Director of Managed Security Services at Claro Enterprise Solutions. "After 90 days of training, that number is cut in half. And after a year, it goes down to about 2 percent."
Unfortunately, this type of training isn't always carried out in a manner that is effective.
"Many security awareness programs are ineffective," Menard explains. "They’re presented as one-and-done exercises. As a result, they fail to keep up with the continually evolving threat landscape. So by the time training is done, a set of new risks has developed. Also, scheduled one-off training programs can create a false sense of security, leading executives to conclude they don’t need to constantly focus on the people threat."
Additionally, these training program can be "painfully boring" which prevents employees from retaining the information they were forced to learn. Often they forget the information within a matter of weeks, Menard stresses.
When it is done correctly, however, email phishing training helps employees correctly identify potentially suspicious emails, and makes them more cautious when asked to provide their credentials, Radke says. Not only does such training protect employees and guests from having their personal data stolen/compromised, it also helps protect the company from potential regulatory action or claims for damages. If a company can provide evidence that it regularly provided employee training in areas of privacy and cyber security, they could potentially have a better defense when taken to task.
Will Carnival Face GDPR, CCPA Fines?
For a company such as Carnival, which regularly has European Union residents on its ships, being able to mount a successful defense could critically impact the fine it receives from the Information Commissioner’s Office under GDPR guidelines.
"Under GDPR, assessment of fines takes into account a number of issues such as the affected company’s response to the breach and the security measures it had in place to prevent it (including employee training)," Harding notes.
When it comes to CCPA, it is generally believed that there will be no liability for breaches prior to July 1, 2020 when it starts to be enforced. However, that remains "uncertain," says Mark McCreary, co-chair of the Privacy and Data Security practice at Fox Rothschild. When in force, attorney fines under the CCPA are up to $2,500 for unintentional acts, and up to $7,500 for intentional acts. Under the private right of actions, it is between $100 and $750 per event, per person affected (there are class actions available). If the actual damage is higher than $750, the recovery may also be higher. And unlike the GDPR, there are no caps on liability.
"There has not yet been any litigation under CCPA (that we are aware of) so this may be the first breach to give rise to this private right of action," Harding adds.
HT has reached out to Princess Cruises and Holland America Line for comment on the breach. If/when we receive a response, we will update this story to include it.