Attackers managed to encrypt a portion of the IT systems one of its brands, although Carnival refused to elaborate on which company had been hit.
Carnival said that it has notified law enforcement, engaged legal counsel and hired incident response professionals who have helped to implement containment and remediation measures.
The attack comes at a bad time for the company, which has been hit hard by the current pandemic and a collapse in global tourism.
Steve Durbin, managing director of the Information Security Forum, argued that many organizations systems may have been exposed of late due to mass home working by employees.
To protect against the scale and scope of these threats, an organization will be forced to rethink its defensive model, particularly its business continuity and disaster recovery plans. Established plans that rely on employees being able to work from home, for example, do not stand up to an attack that removes connectivity or personally targets individuals as a means of dropping ransomware into the corporate infrastructure, he said.
Revised plans should cover threats to periods of operational downtime caused by attacks on infrastructure, devices or people.