Original Article Source How Safe Is the Internet Aboard Cruise Ships - Cruise Critic
More from PratesiLiving.com: Pratesi Living – Food • Travel • Leisure
Is the internet aboard cruise ships safe? The last thing you want to think about is getting hacked when you’re on vacation, especially when sailing off to a far-flung destination halfway around the world. Though it would be rare for your accounts and personal information to be compromised when on a cruise ship, it could happen.
According to Jeffery Lauria, Vice President of iCorps Technologies, a pioneer in Information Technology outsourcing that offers IT consulting services and cybersecurity solutions across the globe, most people tend to let their guard down when they’re on vacation, creating the perfect environment for attackers.
It can happen on any vacation, land or sea. When we’re on vacation, we’re usually spending money so unusual credit card or banking activity may go unnoticed. In addition, when we stay in one place for an extended period, we’re giving cybercriminals more time to hack into or take control of our devices.
Here's what you need to know when you're using internet aboard cruise ships -- or anywhere on vacation.
Lauria tells us that there are three types of hackers: script kitties, nation-state hackers and cybercriminals. It’s the middle-of-the-road cybercriminals that are the main threat to us when traveling. They stay around long enough in hotel lobbies or restaurants to listen for all the Mac addresses and capture all of the traffic. Meanwhile, you never know that your personal information is being compromised. Sometimes, just as when your credit card information has been stolen by an employee from using your card at a restaurant or store, it can be an inside job by one or two threat actors working on a ship. It’s not likely, but it can happen.
According to a June 27, 2022 article in an online publication, Cybersecurity Dive, Carnival Corporation was the target of a series of cybersecurity incidents between 2019 and 2021, including two ransomware attacks.
The line was the victim of phishing and brute force attacks in May 2019 when threat actors accessed the email accounts of 124 employees and sent phishing emails out to other employees.
There were two ransomware attacks in August 2020 and January 2021. A malware attack discovered on Christmas Day in 2020 resulted in the encryption of Costa Cruises’ computer systems. The final incident occurred in March 2021 when a phishing attack impacted Carnival, Princess Cruises and Holland America Line.
The attacks exposed the personal data of the victims, including passport numbers and in some cases, social security and credit card numbers.
The article states that The New York State Department of Financial Services imposed a $5 million penalty on Carnival Corp., citing the lack of multifactor authentication and lack of proper cybersecurity training for its employees. Carnival also had a $1.25 million settlement in 45 states and one in Washington, D.C. citing the failure to protect the information of 180,000 customers and employees.
As part of the settlement with the state’s Attorney Generals, the piece says that "Carnival agreed to several provisions, including implementation of a breach response and notification plan, implement email security training, multifactor authentication for remote email access and is undergoing an independent information security assessment."
We reached out to Norwegian Cruise Line to ask what measures they have in place to safeguard passengers’ private information when sailing with the line. They referred us to the Sail & Sustain 2021 EOS Report for Norwegian Cruise Line Holdings Ltd. (NCLH), the parent company for Norwegian, Regent Seven Seas and Oceania Cruises.
According to the EIS Report, the company’s Technology, Environment, Safety and Security ("TESS") Committee of their Board oversees programs and policies related to cybersecurity.
While the line does collect personal data to enhance the vacation experience (such as the cruise line app), the report states, “We are committed to protecting this information and implement physical, technical, and organizational security measures designed to safeguard the personal data we process." It goes on to say, "These measures are aimed at providing ongoing integrity and confidentiality of personal data and we evaluate and update these measures on a regular basis. We operate worldwide and therefore comply with local and international regulations."
According to the same report from NCLH, the company also employs a Chief Information Security Officer, a Chief Information Officer and they have a 24x7x365 Security Operations Center (SOC) which provides security monitoring on shore and for the shipboard IT systems and applications. And there’s a team of cybersecurity professionals "trained and equipped to identify, contain, analyze and investigate any perceived security threats; and, has the ability to assist internal users on 24x7x365 basis with any information security questions or reported issues, such as phishing/scam emails, information security concerns and security solution related access or performance issues."
As Michael Hadley, CEO and President of iCorps Technologies, explains, "Cruise lines need to balance security, convenience and the guest experience. Using a mobile device to pay for services is very convenient and an overall better consumer experience, however, it does open the end-user to being exploited. There is not much the cruise line can do to protect their customers, other than ensure the equipment used for these transactions is secure and has not been compromised. Placing security labels that are used to classify and protect sensitive information and restrict access to this information is one way of maintaining the integrity."
While the cruise lines have layers of security measures in place and teams to manage the complicated networks and potential cyber threats, it’s ultimately up to the passenger to protect themselves from cybercriminals. Lauria says, “Security is a shared responsibility, you cannot always assume that the business or vendor is doing the best possible job to protect you; as a matter of fact, it is best to assume they are not. Simple measures will reduce your exposure to these threats.” Lauria and Hadley suggest the following steps to ensure your safety when traveling and at sea:
Hadley adds, "Cybercriminals count on vacations for people to let their guard down, but those basic security techniques that you use in your day-to-day life should not change when you’re on vacation. Keeping vigilant will ensure your personal information is not compromised."
Better yet, if you’re on vacation, leave the electronic devices at home and take time to disconnect. That’s the best way to ensure your personal internet security.
If you are interested in learning more about these solutions, or comprehensive enterprise monitoring
solutions such as iCorps SOC-as-a-Service, reach out for a free IT consultation.