TL;DR — too long, didn’t read
Carnival Corporation faces three class-action lawsuits after ShinyHunters listed almost 9 million records from Holland America Line's loyalty programme. Court filings allege Carnival did not have two-factor authentication on the compromised account. We covered the breach in our Intelligence Brief two weeks ago. This week: the legal aftermath, and what it previews for every maritime operator holding passenger or crew PII.
CISA published eight ICS advisories on 30 April. Two hit close to ports: ABB System 800xA IEC 61850 (CVE-2025-3756) allows crafted packets to crash substation control modules in terminal power systems, and Mitsubishi MELSEC iQ-F Ethernet modules (CVE-2026-1874/1875/1876) can be knocked offline by unauthenticated UDP traffic. Remotely triggerable, no credentials needed, equipment that runs in ports, shipyards, and offshore platforms.
Marlink added Stellar Cyber's NDR to its maritime security operations on 28 April. Singapore's MPA and Hamburg Port Authority signed a cybersecurity MoU with four universities. Defence infrastructure is being built. Whether it scales before the next campaign reaches European ports is another question.
Three things that matter this week
Three lawsuits in three days: what Carnival's breach previews for maritime
We covered the Carnival Corporation breach in our Intelligence Brief (16–30 April). ShinyHunters listed over 8.7 million records from Holland America Line's Mariner Society loyalty programme. Have I Been Pwned corroborated roughly 7.5 million unique email addresses. The data reportedly includes names, contact details, dates of birth, loyalty numbers, and possibly passport and payment information.
That was two weeks ago. This week the story moved from cybersecurity pages to courtrooms.
Between 22 and 24 April, three separate class-action lawsuits were filed in the United States District Court for the Southern District of Florida. The plaintiffs allege weak cybersecurity controls and delayed notification to affected individuals. One filing specifically claims that two-factor authentication was not in place on the compromised account — the single phishing compromise that Carnival says gave attackers access to the third-party environment containing the loyalty database.
The lawsuits seek financial compensation, lifetime credit monitoring, and a court-ordered overhaul of Carnival's data security. ShinyHunters had given Carnival until 21 April to pay. The lawsuits landed the next day.
This goes well beyond cruise lines. The legal argument in all three filings rests on a simple chain: company held millions of personal records, did not apply a basic control (2FA), got breached through exactly the vector 2FA would have stopped, then delayed telling the people whose data was taken. That chain fits any maritime operator holding PII. Ferry companies, port authorities, crewing agencies, ship managers. If the system with passenger or seafarer data does not have MFA, the Carnival playbook applies.
The insurance angle follows the same logic. Cyber liability policies now routinely require MFA as a baseline condition. A breach where MFA was absent may trigger coverage disputes. The Carnival filings preview how post-breach litigation will be framed going forward: not as a sophisticated nation-state attack nobody could stop, but as a failure to implement a control that has been standard practice for a decade.
Why this matters: Class-action litigation after a maritime cyber breach is new territory. Carnival is the test case. The standard being set is simple: "did you have 2FA?" Every maritime operator handling PII should be able to answer that question today.
One thing to do: Check whether every system in your organisation that holds passenger, seafarer, or crew personal data has multi-factor authentication enabled. Not "planned." Enabled. If your crewing platform, loyalty database, or booking system still relies on username and password alone, the Carnival lawsuits just told you what the litigation will look like.
Eight ICS advisories in one day — two that matter for maritime
CISA published eight ICS advisories on 30 April, covering ABB and Mitsubishi Electric products. Two are directly relevant to ports, offshore, and shipyards.
ABB System 800xA and Symphony Plus, IEC 61850 stack (CVE-2025-3756). A validation flaw in the IEC 61850 MMS client stack lets crafted network packets trigger device faults and denial of service in AC800M CI868 controllers (800xA), Symphony Plus SD CI850, and Symphony Plus MR PM877 modules. Repeated exploitation forces manual restarts and breaks IEC-61850-based power and control communications. These ABB platforms run substation automation and power distribution, including shore power systems, terminal substations, and industrial plants next to port operations.
Mitsubishi MELSEC iQ-F EtherNet/IP modules (CVE-2026-1874, CVE-2026-1875, CVE-2026-1876). Resource shutdown and control flow bugs in FX5-ENET/IP and FX5-EIP modules. Continuous UDP traffic from an unauthenticated source causes denial of service requiring a physical module reset. NVD scores CVE-2026-1874 at CVSS 7.5 (v3.1) and 8.7 (v4.0). MELSEC iQ-F controllers show up in shipyard production lines, cargo-handling equipment, and embedded vessel control systems.
Both are remotely triggerable. Neither requires credentials. Both require network reachability, which, as the Forescout BRIDGE:BREAK research showed two weeks ago (Issue #8), is the default state for far too many OT devices in maritime networks.
Why this matters: If you run ABB 800xA or Mitsubishi MELSEC in your port, terminal, or shipyard, these are not theoretical advisories. They are your Tuesday patch meeting.
One thing to do: Check whether your OT asset inventory covers ABB System 800xA/Symphony Plus modules and Mitsubishi MELSEC iQ-F Ethernet modules. If yes, verify that IEC 61850 and EtherNet/IP traffic is segmented from corporate IT and from internet-facing networks. If your inventory does not include power distribution and substation automation, it is incomplete.
The industry is building defences. Is it fast enough?
Two things happened in late April that are worth noting together.
Marlink added Stellar Cyber NDR (28 April). Marlink, one of the largest maritime connectivity and managed security providers, plugged Stellar Cyber's behaviour-based Network Detection and Response into its security operations stack. The result: unified visibility across IT, OT, and endpoint traffic for Marlink's managed service customers, covering both vessel and shore-side networks. Until recently, that kind of detection capability meant building your own SOC. Now it comes bundled with your connectivity contract.
MPA Singapore + Hamburg Port Authority MoU (20 April). Singapore's Maritime and Port Authority signed a cybersecurity cooperation agreement with Hamburg Port Authority and four universities (SIT, SUTD, University of Hamburg, Hamburg University of Technology). The scope runs from port cybersecurity systems to unmanned vessels, remote ship operations, shipboard OT, and joint exercises. Two of the world's top-10 ports committing to shared cyber exercises is worth paying attention to.
Good signs, both of them. But the distance between "MoU signed" and "joint incident response during a live attack" is measured in years. And managed NDR reaches the operators who already have a security programme, not the small and mid-size companies that our research keeps showing are most exposed.
Why this matters: Maritime cyber defence infrastructure is being built. The concern is that it matures on a five-year timeline while the threat moves on a five-day one.
In case you missed it
Special Edition #SE03 — Copy Fail (CVE-2026-31431):
22 confirmed Linux-based maritime systems vulnerable to instant local root. Vendor advisory monitoring continues; update forthcoming when new patches land.Special Edition #SE02 — Black Sea, reporting from Romania: Constanța port targeting, GNSS as the operational norm, NIS2 Romania transposition, the Apele Române ransomware resilience playbook.
All editions at newsletter.maritime-ogmios.tech.
Number of the week
600 000 — daily cyberattack attempts across the UAE and Gulf, according to the UAE Cyber Security Council. Three times pre-conflict levels. Port systems named among affected infrastructure, with some reportedly down for days. One source, no independent maritime press confirmation yet, so treat with caution. But if the figure holds, this would be the largest sustained cyber campaign touching port infrastructure since the 2022 Killnet wave against European ports.
Source: UAE Cyber Security Council, reported by Economic Times (29 April 2026) and Analytics Insight (3 May 2026).
Coming up
6th Maritime Security Conference — MARSEC COE Istanbul, 9–10 June 2026. Hosted by NATO's Maritime Security Centre of Excellence. mc3.maritime-ogmios.tech
Posidonia 2026 — Athens Metropolitan Expo, 1–5 June 2026. World's largest maritime exhibition; cyber panels confirmed. mc3.maritime-ogmios.tech
Confidence Conference — Kraków, 26–28 May 2026. We will be there. confidence-conference.org
Full conference calendar: mc3.maritime-ogmios.tech
Resource of the week
CISA ICS Advisories (30 April 2026) — Eight advisories covering ABB and Mitsubishi Electric. Start with ICSA-26-120-01 (ABB IEC 61850) and the Mitsubishi MELSEC iQ-F update. → cisa.gov/news-events/alerts/2026/04/30/cisa-releases-eight-industrial-control-systems-advisories
Cydome AIS Operational Security Advisory (29 April) — For vessels transiting the Strait of Hormuz: turning off AIS for perceived security makes things worse, not better. Secure AIS practices and layered defences instead. → marinelink.com/news/maritime/cyber-security
Free tabletop exercise: Port Ransomware Attack — your port's cargo management system goes dark. Container tracking offline. Manual operations only. 15 minutes, runs in your browser, no signup required. → tabletop.maritime-ogmios.tech