Part 1: A very modern form of piracy: cybercrime against the shipping industry - Rapidly developing risks
UK & Europe
The maritime industry, which uses vast quantities of electronically stored and transmitted data, is particularly vulnerable to ransomware threats. Increasingly sophisticated strains, like Conti or REvil, can spread across the entire network of a shipping company, infecting computers globally and encrypting data. Not only are systems encrypted, but the ransom attacker may often exfiltrate data stored in servers. Therefore, the extortion not only relates to decrypting and restoring access to stolen information but also to threatening the public release of the stolen data on the dark web. Even if a company could restore their data from backups and avoid the need to rely on decryption keys from the threat actor, the risk of any data accessed or exfiltrated being disclosed or published remains.
A very recent example of a ransomware attack on a maritime company took place in December 2020 when a Norwegian cruise company, Hurtigruten, was targeted and forced to shut down its website. Although precise details are unknown, its systems may have been compromised, its data encrypted and possibly exfiltrated, and a ransom payment probably demanded. It is reported the incident may have affected passengers’ personal information, such as names, dates of birth, passport details, email and home addresses, phone numbers, and some medical information. It is believed that the company, which operates ferries along the Norwegian coast as well as cruises in the Arctic and Antarctic, responded by disabling affected computer systems, launching an investigation to determine the data and individuals affected, and reporting the incident to law enforcement. There are no figures available on the financial impact that the incident may have caused the company.
Shipping companies are likely to hold a broad range of sensitive data which could be of interest to malicious actors. Commercially sensitive material of potential interest to cyber hackers, held by shipowners, charterers, or shipping agents, would consist of data regarding contracts of affreightment, charterparties, freight rates, time charter rates, and bills of lading. Other sensitive data would also include information concerning financing facilities and banking details, which financial institutions and clients handle with extreme confidentiality. Insurance arrangements would also be seen as valuable. In some cases that we have seen, the cyber attackers who had access to the files and data in the network became aware of the policy limits in the victim’s cyber insurance policy, which they could then factor in to their ransom demands and negotiations.
As another example, a ship management company managing third-party owned vessels, providing management, technical and personnel services to ship owners could be handling crucial information relating to the safety management systems of all their vessels, maintenance programmes, flag state, class society and port state control and management service fees and budgets. The prospect of any of this confidential data being compromised and later threatened with public release would be of obvious concern to ship managers and their owner clients.
Hackers do not always threaten public release of stolen data but can instead threaten to destroy it. In September 2020, CMA CGM was hit by the Ragnar Locker data encryption malware, which first appeared in 2019, and was designed to extort ransom money by threatening the destruction of encrypted files. The attack was reported to have hit a few Chinese offices but forced the carrier to shut down its entire network to prevent the spread. The hacker’s message reportedly read: “If you are reading this, it’s mean (sic) your data was encrypted and your sensitive private information was stolen. ... There is ONLY ONE possible way to get back your files – contact us via live chat and pay for the special DECRYPTION KEY!” CMA CGM were given two days to make contact. No details of the ransom amount or negotiations were released, however, an earlier attack by Ragnar Locker forced a Portuguese energy firm to pay a ransom of nearly USD10 million in Bitcoin.
In addition to the operational, financial, and reputational risks that may result from hacked commercial data, a shipping company may also have breached data protection legislation where the personal data records of individuals have been compromised. Personal details can be held for various reasons. Ship management companies, which handle crewing requirements for shipowner clients, hold the valuable personal records of thousands of seafarers and personnel, tracking their employment history, payroll and claims expenses data, medical records, and personal information. Similarly, cruise line and ferry operators process information relating to thousands, sometimes millions of passengers in the case of the larger players. This may include names, addresses, phone numbers, passport details, dates of birth, and occasionally health and personal information, as illustrated by the Hurtigruten cyber hack.
As mentioned, any compromise of personal data could open a shipping company to the risk of violating data protection laws, possibly in various jurisdictions, and expose it to mandatory reporting regimes and potential administrative penalties and fines where the relevant data privacy obligations have not been met. We will briefly look at two such regulations: the EU and the UK GDPR.
On 25 May 2018, the General Data Protection Regulation (GDPR), described as the toughest privacy and security law in the world, entered into force in the EU, including the UK, and was soon after extended to the EEA (which includes the EU, Iceland, Norway and Lichtenstein). The GDPR was enacted into UK law as the Data Protection Act 2018 (DPA). The Regulation is intended to give EEA individuals ownership and control over their personal data. It imposes obligations on organisations located anywhere in the world which process the personal data of EEA citizens/residents, offer them goods or services, or monitor their behaviour, even if the data processing takes place outside the EEA.
Under the GDPR, data processing refers to any act performed on data such as recording, storing, organising, erasing, essentially any data handling. Personal data covers any information relating to an individual who can be directly or indirectly identified. This information includes email addresses, location information, gender, age, cookie identifiers. Pseudonymous data (where an individual’s identity is disguised) is also caught in the definition if the individual can easily be identified.
The key question a shipping business should consider is whether, by virtue of its activities, it is subject to the GDPR as, if this is the case, it will be required to have data protection processes and procedures in place. In some cases, this will be self-evident (e.g. an organisation “established” within the EEA pursuant to Article 3(1) or which meets the “targeting” criteria under Article 3(2)). In other cases, the application of the GDPR may not be so obvious.
The multi-jurisdictional nature of the maritime industry, and the cross border flow of data that accompanies it, sets it apart from some other economic sectors, and it is this international element that should be closely examined to determine whether any aspect of a shipping operation is likely to make it subject to the GDPR. A shipping company located outside the EEA should review any area of interaction with the EEA. Does the company offer goods or services to persons within the EEA, including persons onboard vessels flagged in an EEA member state? Is the personal data of EEA persons held on data bases? Are tracking cookies used to monitor the behaviour patterns of persons within the EEA? Does the organisation have an office or conduct regular operations from within the EEA? Does it use EEA-based servers? Does it have EEA flagged vessels? These are a few of the questions a shipping business should be asking to determine the applicability of the GDPR.
A shipping organisation, cruise line operator, ferry company, ship manager subject to the GDPR, should be mindful of the seven protection and accountability principles at the heart of GDPR Article 5(1). Failure to comply with these principles may expose a shipping company to scrutiny from data protection regulators and may lead to enforcement action or substantial fines.
Articles 33 and 34 of the GDPR set out the data breach notification obligations. The obligation to notify the relevant data protection regulator falls on the controller (i.e. the person who handles personal data and decides why and how to process it). Following a data breach, the controller has 72 hours from becoming aware of the breach to notify the regulator “unless the personal data breach is unlikely to result in a risk to the rights and freedoms” of natural persons. In addition, where a data breach is “likely to result in a high risk to the rights and freedoms” of natural persons, the controller must notify the breach to the data subjects without undue delay.
The financial consequences of a data breach under the GDPR can be severe. Fines can be the higher of 20 million euros or 4% of the annual global turnover, which in the case of a large ship-owning company or cruise line operator could correspond to a substantial amount.
An example of a large penalty was that levied against Marriott International, which was fined over £18.4 million by the UK’s Information Commissioner’s Office (ICO) after the hotel chain’s guest reservation database was compromised following a cyber-attack in 2014. It is understood that 383 million client records were affected - 30 million of which belonged to EU residents - involving one or more of the following: names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers. The cyber attack was only discovered in September 2018 although it originated in 2014. Malware was installed which enabled the attacker to gain access to the system as a privileged user. This incident highlights the potential consequences when a business fails to look after customers’ data. As the ICO made clear in a statement about the fine it issued, “the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect”.
In addition to the potential regulatory penalty, an organisation in breach of the regulation may also be required to compensate financially the victims of the breach who are entitled to seek compensation under Article 82 of the GDPR.
The UK regulatory position is now set out in a version of the EU GDPR as it stood at 11 pm on 31 December 2020 as amended by relevant EU Exit regulations (UK GDPR). While it may be a while before material differences in the application and interpretation of the UK and EU GDPR develop, companies will also need to pay heed to a third piece of legislation referred to as the “Frozen GDPR” under which so-called “legacy data” including EU data acquired before 1 January 2021 is subject to the EU GDPR as it stood at 11 pm on 31 December 2020. There is no doubt that the interplay between these regimes presents challenges to shipowners from a compliance, cost and notification perspective.
Maritime industry organisations need to remain alert to the evolving landscape of cyber-crime and should focus their attention on ensuring their cyber-security programmes can protect their commercially sensitive information and personal data against new forms of insidious and costly malware attacks. In addition, the importance of conducting regular audits to ensure compliance with the relevant data protection laws should not be forgotten. If you would like to discuss in more detail any of the points raised in this update, please feel free to reach out to any of the contacts listed below or to your usual contact at Clyde & Co.