The maritime industry, which uses vast quantities of electronically stored and transmitted data, is particularly vulnerable to ransomware threats. Increasingly sophisticated strains, like Conti or REvil, can spread across the entire network of a shipping company, infecting computers globally and encrypting data. Not only are systems encrypted, but the ransom attacker may often exfiltrate data stored in servers. Therefore, the extortion not only relates to decrypting and restoring access to stolen information but also to threatening the public release of the stolen data on the dark web. Even if a company could restore their data from backups and avoid the need to rely on decryption keys from the threat actor, the risk of any data accessed or exfiltrated being disclosed or published remains.

A very recent example of a ransomware attack on a maritime company took place in December 2020 when a Norwegian cruise company, Hurtigruten, was targeted and forced to shut down its website. Although precise details are unknown, its systems may have been compromised, its data encrypted and possibly exfiltrated, and a ransom payment probably demanded. It is reported the incident may have affected passengers’ personal information, such as names, dates of birth, passport details, email and home addresses, phone numbers, and some medical information. It is believed that the company, which operates ferries along the Norwegian coast as well as cruises in the Arctic and Antarctic, responded by disabling affected computer systems, launching an investigation to determine the data and individuals affected, and reporting the incident to law enforcement. There are no figures available on the financial impact that the incident may have caused the company.

Data as an asset

Shipping companies are likely to hold a broad range of sensitive data which could be of interest to malicious actors. Commercially sensitive material of potential interest to cyber hackers, held by shipowners, charterers, or shipping agents, would consist of data regarding contracts of affreightment, charterparties, freight rates, time charter rates, and bills of lading. Other sensitive data would also include information concerning financing facilities and banking details, which financial institutions and clients handle with extreme confidentiality. Insurance arrangements would also be seen as valuable. In some cases that we have seen, the cyber attackers who had access to the files and data in the network became aware of the policy limits in the victim’s cyber insurance policy, which they could then factor in to their ransom demands and negotiations.

As another example, a ship management company managing third-party owned vessels, providing management, technical and personnel services to ship owners could be handling crucial information relating to the safety management systems of all their vessels, maintenance programmes, flag state, class society and port state control and management service fees and budgets. The prospect of any of this confidential data being compromised and later threatened with public release would be of obvious concern to ship managers and their owner clients.

Destruction of data

Hackers do not always threaten public release of stolen data but can instead threaten to destroy it. In September 2020, CMA CGM was hit by the Ragnar Locker data encryption malware, which first appeared in 2019, and was designed to extort ransom money by threatening the destruction of encrypted files. The attack was reported to have hit a few Chinese offices but forced the carrier to shut down its entire network to prevent the spread. The hacker’s message reportedly read: “If you are reading this, it’s mean (sic) your data was encrypted and your sensitive private information was stolen. … There is ONLY ONE possible way to get back your files – contact us via live chat and pay for the special DECRYPTION KEY!” CMA CGM were given two days to make contact. No details of the ransom amount or negotiations were released, however, an earlier attack by Ragnar Locker forced a Portuguese energy firm to pay a ransom of nearly USD10 million in Bitcoin.

Personal data

In addition to the operational, financial, and reputational risks that may result from hacked commercial data, a shipping company may also have breached data protection legislation where the personal data records of individuals have been compromised. Personal details can be held for various reasons. Ship management companies, which handle crewing requirements for shipowner clients, hold the valuable personal records of thousands of seafarers and personnel, tracking their employment history, payroll and claims expenses data, medical records, and personal information. Similarly, cruise line and ferry operators process information relating to thousands, sometimes millions of passengers in the case of the larger players. This may include names, addresses, phone numbers, passport details, dates of birth, and occasionally health and personal information, as illustrated by the Hurtigruten cyber hack.

As mentioned, any compromise of personal data could open a shipping company to the risk of violating data protection laws, possibly in various jurisdictions, and expose it to mandatory reporting regimes and potential administrative penalties and fines where the relevant data privacy obligations have not been met. We will briefly look at two such regulations: the EU and the UK GDPR.

GDPR

On 25 May 2018, the General Data Protection Regulation (GDPR), described as the toughest privacy and security law in the world, entered into force in the EU, including the UK, and was soon after extended to the EEA (which includes the EU, Iceland, Norway and Lichtenstein). The GDPR was enacted into UK law as the Data Protection Act 2018 (DPA). The Regulation is intended to give EEA individuals ownership and control over their personal data. It imposes obligations on organisations located anywhere in the world which process the personal data of EEA citizens/residents, offer them goods or services, or monitor their behaviour, even if the data processing takes place outside the EEA.

Under the GDPR, data processing refers to any act performed on data such as recording, storing, organising, erasing, essentially any data handling. Personal data covers any information relating to an individual who can be directly or indirectly identified. This information includes email addresses, location information, gender, age, cookie identifiers. Pseudonymous data (where an individual’s identity is disguised) is also caught in the definition if the individual can easily be identified.

The key question a shipping business should consider is whether, by virtue of its activities, it is subject to the GDPR as, if this is the case, it will be required to have data protection processes and procedures in place. In some cases, this will be self-evident (e.g. an organisation “established” within the EEA pursuant to Article 3(1) or which meets the “targeting” criteria under Article 3(2)). In other cases, the application of the GDPR may not be so obvious.

The multi-jurisdictional nature of the maritime industry, and the cross border flow of data that accompanies it, sets it apart from some other economic sectors, and it is this international element that should be closely examined to determine whether any aspect of a shipping operation is likely to make it subject to the GDPR. A shipping company located outside the EEA should review any area of interaction with the EEA. Does the company offer goods or services to persons within the EEA, including persons onboard vessels flagged in an EEA member state? Is the personal data of EEA persons held on data bases? Are tracking cookies used to monitor the behaviour patterns of persons within the EEA? Does the organisation have an office or conduct regular operations from within the EEA? Does it use EEA-based servers? Does it have EEA flagged vessels? These are a few of the questions a shipping business should be asking to determine the applicability of the GDPR.

A shipping organisation, cruise line operator, ferry company, ship manager subject to the GDPR, should be mindful of the seven protection and accountability principles at the heart of GDPR Article 5(1). Failure to comply with these principles may expose a shipping company to scrutiny from data protection regulators and may lead to enforcement action or substantial fines.

Articles 33 and 34 of the GDPR set out the data breach notification obligations. The obligation to notify the relevant data protection regulator falls on the controller (i.e. the person who handles personal data and decides why and how to process it). Following a data breach, the controller has 72 hours from becoming aware of the breach to notify the regulator “unless the personal data breach is unlikely to result in a risk to the rights and freedoms” of natural persons. In addition, where a data breach is “likely to result in a high risk to the rights and freedoms” of natural persons, the controller must notify the breach to the data subjects without undue delay.

The financial consequences of a data breach under the GDPR can be severe. Fines can be the higher of 20 million euros or 4% of the annual global turnover, which in the case of a large ship-owning company or cruise line operator could correspond to a substantial amount.

An example of a large penalty was that levied against Marriott International, which was fined over £18.4 million by the UK’s Information Commissioner’s Office (ICO) after the hotel chain’s guest reservation database was compromised following a cyber-attack in 2014. It is understood that 383 million client records were affected – 30 million of which belonged to EU residents – involving one or more of the following: names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers. The cyber attack was only discovered in September 2018 although it originated in 2014. Malware was installed which enabled the attacker to gain access to the system as a privileged user. This incident highlights the potential consequences when a business fails to look after customers’ data.  As the ICO made clear in a statement about the fine it issued, “the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect”.

In addition to the potential regulatory penalty, an organisation in breach of the regulation may also be required to compensate financially the victims of the breach who are entitled to seek compensation under Article 82 of the GDPR.

UK GDPR

The UK regulatory position is now set out in a version of the EU GDPR as it stood at 11 pm on 31 December 2020 as amended by relevant EU Exit regulations (UK GDPR). While it may be a while before material differences in the application and interpretation of the UK and EU GDPR develop, companies will also need to pay heed to a third piece of legislation referred to as the “Frozen GDPR” under which so-called “legacy data” including EU data acquired before 1 January 2021 is subject to the EU GDPR as it stood at 11 pm on 31 December 2020. There is no doubt that the interplay between these regimes presents challenges to shipowners from a compliance, cost and notification perspective.

Source: clydeco

Press Release – Inmarsat, the world-leading mobile satellite communications provider, and OneOcean, the global leader in compliance and navigation services for the maritime industry, are delighted to announce a partnership that focuses on the next phase of the digitalisation of navigation and compliance in the maritime industry.

The multi-phase agreement which will see OneOcean become an Inmarsat Certified Application Provider (CAP) is centred on leveraging Inmarsat’s technology platform and OneOcean’s digital solutions to transform the way voyage planning software is deployed, updated and integrated between ship and shore.

Remote deployment of OneOcean technology is the first of many benefits of the partnership, enabling reduced set-up time, minimum disruption and, most importantly, reduced cyber risk. Physical deployment of all software has unavoidably been affected due to lockdown restrictions and growing onboard cyber security concerns. This agreement will address these issues, by enabling global deployment of software through on-demand, cyber secure, digital operations.

The software will be deployed over Inmarsat’s high-speed Fleet Connect dedicated bandwidth service, which is completely separate from crew and business traffic and helps free-up constrained bandwidth for other essential tasks onboard and ensure safety critical navigational tools remain up to date.

Finally, it will allow OneOcean customers to extract the maximum value from their voyage planning and compliance software, which has been designed to simplify and standardise working practices between ship and shore.  Data capture and sharing with teams ashore will be greatly optimised and allow for improved decision making and real time interventions across an individual voyage or fleet operations.

This is all made possible by Fleet Connect, which provides an uninterrupted satellite link between tens of thousands of vessels and seafarers across the world’s oceans. By combining this pioneering technology with OneOcean’s vision for progressive, maritime solutions, the partnership heralds a new era of maritime digitalisation.

“We are delighted to welcome OneOcean to our CAP ecosystem joining over 40 other application providers. By using Fleet Connect, vessels can update mission-critical software easily and cost-effectively without installing new hardware, at a time when Covid-19 continues to make ship visits especially challenging,” said Ronald Spithout, President, Inmarsat Maritime. “This is the first part of an agreement through which two leading companies have identified collaboration as the most competitive and practical route towards fully digitalised voyage planning and navigation.”

Martin Taylor, CEO of OneOcean, also commented on the exclusive agreement, “We are very proud to be working with Inmarsat on our mission to fully digitalise the maritime industry. We are constantly developing new software and looking at ways to improve the ship to shore integrated experience. This partnership supports our mission to break down barriers and create the connected ship.  As a first step, I am looking forward to leveraging the benefits that Fleet Connect brings to our customers and software.”

About OneOcean

OneOcean is the largest single digital solutions company in the maritime industry and the global leader in digital navigation and voyage compliance. The business supports nearly 20,000 vessels in their regulatory and navigational activities, making life easier for ship owners and managers, both onboard and onshore. Its aim is to simplify e-navigation and compliance with the powerful OneOcean platform built for the future while giving onboard and onshore teams the real-time information they need when they need it.

For further information, visit www.oneocean.com

About Inmarsat

Inmarsat is the world leader in global, mobile satellite communications. It owns and operates the world’s most diverse global portfolio of mobile telecommunications satellite networks, and holds a multi-layered, global spectrum portfolio, covering L-band, Ka-band and S-band, enabling unparalleled breadth and diversity in the solutions it provides. Inmarsat’s long-established global distribution network includes not only the world’s leading channel partners but also its own strong direct retail capabilities, enabling end to end customer service assurance.

The company has an unrivalled track record of operating the world’s most reliable global mobile satellite telecommunications networks, sustaining business and mission critical safety & operational applications for more than 40 years. It is also a major driving force behind technological innovation in mobile satellite communications, sustaining its leadership through a substantial investment and a powerful network of technology and manufacturing partners.

Inmarsat operates across a diversified portfolio of sectors with the financial resources to fund its business strategy and holds leading positions in the Maritime, Government, Aviation and Enterprise satcoms markets, operating consistently as a trusted, responsive and high-quality partner to its customers across the globe.

Source: gcaptain

The U.S. trade deficit hit a record in February as the country’s economic activity rebounds faster than its global rivals and could remain elevated this year as a massive fiscal stimulus is expected to spur the fastest growth in nearly four decades.

The economy is roaring ahead as a surge in COVID-19 vaccines and the White House’s $1.9 trillion pandemic rescue package boost domestic demand, some of which is being satiated by imports. President Joe Biden last week proposed a $2 trillion infrastructure plan, which is expected to attract even more imports and trigger economic growth.

“The deficit could remain large this year and next due to fiscal stimulus and the potential infrastructure package that could be passed in the second half of this year,” said Ryan Sweet, senior economist at Moody’s Analytics in West Chester, Pennsylvania. “As the economy continues to strengthen, this will keep the deficit broad-based.”

The trade deficit soared 4.8% to a record $71.1 billion in February, according to data from the Commerce Department. Economists had forecast a deficit of $70.5 billion. The goods trade gap was also the highest on record.

Exports fell 2.6% to $187.3 billion. Goods exports fell 3.5% to $131.1 billion, likely affected by unusually cold weather in much of the country. The decline was led by shipments of capital goods, which fell by $2.5 billion.

Exports of consumer goods fell, as did exports of motor vehicles, parts and engines. There were also fewer food exports. The pandemic continued to be a drag on services exports, especially travel.

Imports fell 0.7% to $258.3 billion. Imports of goods fell by 0.9% to $219.1 billion. This drop probably reflects supply chain constraints rather than weak domestic demand. In fact, imports of capital goods reached a record high, driven by civilian aircraft, medical equipment and electrical equipment, among others.

Imports of industrial supplies and materials were the highest since October 2018, thanks to $1 billion worth of crude oil imports. That caused the U.S. to post its first oil deficit since December 2019.

But imports of motor vehicles, parts and engines declined as did imports of consumer goods. The reduction in trade flows in February was due in part to inclement weather and logistical and transportation problems at ports.

“Congestion at the ports of Los Angeles and Long Beach, which together account for one-third of U.S. container imports, caused container ships to anchor offshore while waiting for available port space,” said Jay Bryson, chief economist at Wells Fargo Securities in Charlotte, North Carolina.

“Even when ships are docked and unloaded, port executives report higher-than-normal container dwell time, or the time it takes importers to pick up their cargo from the port.”

Following the recent six-day blockade of the Suez Canal, economists expect trade flows to remain depressed in March.

Stocks on Wall Street were trading higher. The dollar fell against a basket of currencies. U.S. Treasury bond prices were mostly higher.

A Drag on Growth

Adjusted for inflation, the goods trade deficit soared to a record $99.1 billion in February, up from $96.1 billion in January. The so-called real trade deficit is well above the average for the October-December period.

JPMorgan economists estimate that trade could subtract a percentage point from GDP growth in the first quarter, which would be the third consecutive quarterly drag.

But that is unlikely to dent first-quarter GDP growth estimates, which currently stand at an annualized rate of 10%. The economy grew at a 4.3% pace in the fourth quarter.

Economists forecast that growth this year could exceed 7%, which would be the fastest since 1984. The economy contracted 3.5% in 2020, the worst performance in 74 years. The International Monetary Fund expects the global economy to expand by 6% this year, driven mainly by the U.S. economy, which the fund estimates will grow by 6.4%.

From the labor market to the hard-hit manufacturing and service sectors, activity accelerated sharply in March.

But the housing market, one of the stars of the pandemic, is showing signs of fatigue.

A separate report from the Mortgage Bankers Association (MBA) on Wednesday showed applications for loans to buy a home fell 4.6% last week, dropping for a second straight week.

According to the MBA, the 30-year mortgage fixed rate has risen to 3.36%, a 10-month high. That, combined with higher house prices due to an acute shortage of properties, is making home-ownership more expensive for some first-time buyers.

“With inventory at record lows and affordability increasingly stretched thanks to rapid house price gains, we expect home purchase demand will trend down this year,” said Matthew Pointon, senior property economist at Capital Economics in New York.

Source: fullavantenews