Is Internet Aboard Cruise Ships Safe?

Original Article Source How Safe Is the Internet Aboard Cruise Ships - Cruise Critic

More from Pratesi Living – Food • Travel • Leisure

Is the internet aboard cruise ships safe? The last thing you want to think about is getting hacked when you’re on vacation, especially when sailing off to a far-flung destination halfway around the world. Though it would be rare for your accounts and personal information to be compromised when on a cruise ship, it could happen.

According to Jeffery Lauria, Vice President of iCorps Technologies, a pioneer in Information Technology outsourcing that offers IT consulting services and cybersecurity solutions across the globe, most people tend to let their guard down when they’re on vacation, creating the perfect environment for attackers.

It can happen on any vacation, land or sea. When we’re on vacation, we’re usually spending money so unusual credit card or banking activity may go unnoticed. In addition, when we stay in one place for an extended period, we’re giving cybercriminals more time to hack into or take control of our devices.

Here's what you need to know when you're using internet aboard cruise ships -- or anywhere on vacation.

What Kind of Cyber Attacks Should You be Aware Of?

Lauria tells us that there are three types of hackers: script kitties, nation-state hackers and cybercriminals. It’s the middle-of-the-road cybercriminals that are the main threat to us when traveling. They stay around long enough in hotel lobbies or restaurants to listen for all the Mac addresses and capture all of the traffic. Meanwhile, you never know that your personal information is being compromised. Sometimes, just as when your credit card information has been stolen by an employee from using your card at a restaurant or store, it can be an inside job by one or two threat actors working on a ship. It’s not likely, but it can happen.

According to a June 27, 2022 article in an online publication, Cybersecurity Dive, Carnival Corporation was the target of a series of cybersecurity incidents between 2019 and 2021, including two ransomware attacks.

The line was the victim of phishing and brute force attacks in May 2019 when threat actors accessed the email accounts of 124 employees and sent phishing emails out to other employees.

There were two ransomware attacks in August 2020 and January 2021. A malware attack discovered on Christmas Day in 2020 resulted in the encryption of Costa Cruises’ computer systems. The final incident occurred in March 2021 when a phishing attack impacted Carnival, Princess Cruises and Holland America Line.

The attacks exposed the personal data of the victims, including passport numbers and in some cases, social security and credit card numbers.

The article states that The New York State Department of Financial Services imposed a $5 million penalty on Carnival Corp., citing the lack of multifactor authentication and lack of proper cybersecurity training for its employees. Carnival also had a $1.25 million settlement in 45 states and one in Washington, D.C. citing the failure to protect the information of 180,000 customers and employees.

As part of the settlement with the state’s Attorney Generals, the piece says that "Carnival agreed to several provisions, including implementation of a breach response and notification plan, implement email security training, multifactor authentication for remote email access and is undergoing an independent information security assessment."

What are Other Cruise Lines Doing to Protect your Personal Information?

We reached out to Norwegian Cruise Line to ask what measures they have in place to safeguard passengers’ private information when sailing with the line. They referred us to the Sail & Sustain 2021 EOS Report for Norwegian Cruise Line Holdings Ltd. (NCLH), the parent company for Norwegian, Regent Seven Seas and Oceania Cruises.

According to the EIS Report, the company’s Technology, Environment, Safety and Security ("TESS") Committee of their Board oversees programs and policies related to cybersecurity.

While the line does collect personal data to enhance the vacation experience (such as the cruise line app), the report states, “We are committed to protecting this information and implement physical, technical, and organizational security measures designed to safeguard the personal data we process." It goes on to say, "These measures are aimed at providing ongoing integrity and confidentiality of personal data and we evaluate and update these measures on a regular basis. We operate worldwide and therefore comply with local and international regulations."

According to the same report from NCLH, the company also employs a Chief Information Security Officer, a Chief Information Officer and they have a 24x7x365 Security Operations Center (SOC) which provides security monitoring on shore and for the shipboard IT systems and applications. And there’s a team of cybersecurity professionals "trained and equipped to identify, contain, analyze and investigate any perceived security threats; and, has the ability to assist internal users on 24x7x365 basis with any information security questions or reported issues, such as phishing/scam emails, information security concerns and security solution related access or performance issues."

How Can You Protect Your Personal Data on a Cruise Ship?

As Michael Hadley, CEO and President of iCorps Technologies, explains, "Cruise lines need to balance security, convenience and the guest experience. Using a mobile device to pay for services is very convenient and an overall better consumer experience, however, it does open the end-user to being exploited. There is not much the cruise line can do to protect their customers, other than ensure the equipment used for these transactions is secure and has not been compromised. Placing security labels that are used to classify and protect sensitive information and restrict access to this information is one way of maintaining the integrity."

While the cruise lines have layers of security measures in place and teams to manage the complicated networks and potential cyber threats, it’s ultimately up to the passenger to protect themselves from cybercriminals. Lauria says, “Security is a shared responsibility, you cannot always assume that the business or vendor is doing the best possible job to protect you; as a matter of fact, it is best to assume they are not. Simple measures will reduce your exposure to these threats.” Lauria and Hadley suggest the following steps to ensure your safety when traveling and at sea:

  • If possible, use a VPN or “virtual private network” to protect against data theft. VPNs encrypt your data and communications, making it almost possible to steal. When you connect to an access point (Hotspot or Wi-Fi) you don’t know if it’s a legitimate hospitality wireless network, or one that is set up to steal your information. Even legitimate Wi-Fi networks (as mentioned in the 2021 EOS Report for NCLH) may be collecting information about you. If you don’t want that to happen, then use a VPN. However, it is important to know that using a VPN can be a challenge on a ship since it can slow down your internet speed.

  • Keep your device up to date, using commercial-grade endpoint protection.

  • Unless needed, turn off your Bluetooth. Bluetooth is a common way for cybercriminals to attack devices. Once they are attached, all your information can be accessed.

  • Turn off NFC (tap to pay). An example is Apple Pay. Although the NFC range is limited, it’s still another way for an attacker to take control. You don’t know if the device you are connecting (tapping) to has been compromised or not. Unfortunately, when traveling to other countries, their security practices may not be as secure as ours. This is especially true in the Caribbean.

  • Use a credit card vs. a debit card. It’s much easier to deal with if your account has been compromised. Credit card companies will remove fraudulent charges. With a debit card, the funds are immediately removed from your account. And it takes time to resolve the theft issue and have the money returned to your account.

  • Don’t use private ATM machines on the cruise ship or ashore. Wait until you can locate a major-name bank in a port city or town to get cash, and use ATM's inside the actual bank whenever possible.

  • If you must do any type of banking online, go directly to the bank’s website. Better yet, wait until you get home to manage your finances. Draining bank accounts is a common threat from hackers.

Hadley adds, "Cybercriminals count on vacations for people to let their guard down, but those basic security techniques that you use in your day-to-day life should not change when you’re on vacation. Keeping vigilant will ensure your personal information is not compromised."

Better yet, if you’re on vacation, leave the electronic devices at home and take time to disconnect. That’s the best way to ensure your personal internet security.

If you are interested in learning more about these solutions, or comprehensive enterprise monitoring
solutions such as iCorps SOC-as-a-Service, reach out for a free IT consultation.


Contact for a Free Consultation