At a glance.
- Carnival sustains data breach.
- Data exposure at Wegmans.
Rough sailing for Carnival cruise lines.
British-American cruise ship operator Carnival Corporation has disclosed that an unauthorized third party accessed customer, employee, and crew data, Bleeping Computer reports. According to a breach notification letter sent to impacted customers, Carnival detected in March that an intruder had infiltrated a “limited” number of email accounts. Carnival's SVP & Chief Communications Officer Roger Frizzell explained, “The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing.” However, Carnival says they’ve found evidence indicating it’s unlikely the data was misused. Considered the largest cruise operator in the world, this is at least the fourth time in recent months that a data breach has rocked Carnival’s boat. In March of 2020 customer and employee financial data were exposed after hackers infiltrated employee email accounts, and the cruise operator was hit with a ransomware attack in August that compromised the data of approximately 37,500 individuals. Investigation and mitigation are still underway for a second ransomware attack that occurred last December.
We heard from Anurag Gurtu, CPO of StrikeReady who notes that this has happened before: "Carnival has been hit with ransomware multiple times in the past, including last year. In fact, this type of attack is a double whammy, not only does the victim have to pay a ransom, but the PII stolen has a high value since it is sold on the dark market at a high price.
Wegmans leaves the shop unattended (or rather, a couple of cloud instances).
American supermarket chain Wegmans Food Markets experienced a data breach resulting from two misconfigured cloud storage databases. The Rochester Democrat and Chronicle explains that a third-party researcher discovered the data had been inadvertently left unprotected, and Wegmans confirmed the issue in April. Customer names, street addresses, birth dates, Shoppers Club numbers, and Wegmans.com login credentials were among the compromised data. On the bright side, it appears that the exposed passwords were all hashed and salted, no financial information or payment card data was exposed, and the databases in question have now been properly double-bagged...er, secured. Still, Wegmans says customers should consider changing their login info just to be on the safe side, especially if they use the same username or password for other accounts.
Trevor Morgan, product manager with data security specialists comforte AG, wrote to us about the difficulty big retailers have. It's an inherently tough challenge to secure all the data they collect, and that Wegmans seems to be responding properly, he thinks:
“Large retailers and grocery chains collect an enormous amount of customer data. For many grocery chains, getting the best prices often means consumers give up sensitive personal information in order to obtain a loyalty card. Of course, this is the type of data that threat actors seek because it has such high value within shadow markets.
"These large enterprises have sophisticated IT infrastructures, and no doubt perimeter protections and data access controls serve as good baseline measures against intentional hacks and unintentional data access. However, when a reputable and popular grocery brand like Wegmans dutifully releases information about a data exposure due to configuration mishaps, it should remind organizations that those measures are baseline only, because they protect the environment around data and not the data itself. To do that, you have to turn to data-centric protection methods like tokenization and format-preserving encryption, which replace sensitive data with representational information that cannot be leveraged, even if it falls into the wrong hands.
"By all means, Wegmans is going through the proper procedures and alerting the public about mitigation efforts, but for similar enterprises that collect, handle, and process customer data, the incident should serve as food for thought—and hopefully some action.”