MarineMax yachts latest luxury retailer to suffer cyberattack


MarineMax, a US luxury yacht dealer and boating lifestyle brand, fell victim to a third-party cyberattack this week, the latest in a series of attacks targeting high-end retailers.

The company filed a breach notification with the US Securities and Exchange Commission (SEC) on March 12th, stating it became aware of the "cybersecurity incident" two days earlier.

“MarineMax, Inc. determined on March 10th, 2024, that it experienced a “cybersecurity incident”... whereby a third party gained unauthorized access to portions of its information environment,” the company stated in the SEC 8K filing.

ADVERTISEMENT

Headquartered in Clearwater, Florida, MarineMax owns 65 premium boat dealerships across the US and runs more than a dozen marinas along the East Coast, as well as in Texas, Missouri, and Minnesota.

Although there is no confirmation of ransomware, says Ryan McConechy, CTO of cybersecurity firm Barrier Networks, “The maritime industry has come under increased attack from cyber criminals recently because of the opportunity to cause harm and make money.”

“Criminals understand that the adoption of automation on boats means they can be virtually penetrated,” he said.

The full-service yacht purveyor and lifestyle brand provides financing, insurance, maintenance, and storage for boat owners, and also offers private yacht charters and other luxury yachting adventures to the public.

MarineMax breach
Image by MarineMax.

McConechy said that in this case, it seems the criminals targeted the organization’s network, rather than its vessels.

Still, McConechy noted that hackers could gain access to a boat's operational controls, which could then “be used to manipulate navigation systems and put the lives of people on the vessel in danger.”

MarineMax said it took “immediate measures to contain the incident” by following previously established response protocols" and that business operations were not affected and continued ”throughout this matter in all material respects."

ADVERTISEMENT

The company also said the portion of the network involved in the breach “does not maintain sensitive data,” although it also stated that the investigation to determine the “extent of the incident” is still in process.

McConechy said having an incident response plan in place has allowed MarineMax "to navigate the incident without any impact on operations." These plans must be "well-rehearsed," which will "allow everyone to step straight into action as soon as breaches are discovered," he said.

Cybernews has reached out to MarineMax and is awaiting a response at the time of this publishing. At this time, no ransomware group has come forward to claim the attack.

Luxury-based companies often easy prey

"As we are seeing with MarineMax, when organizations run incident response planning successfully, they can recover from breaches quickly, with minimal disruption to business or operations,” McConechy said.

MarineMax noted it is working with outside cybersecurity experts and law enforcement, and also said its unclear what the financial impact of the attack may be at this time.

According to British-American insurance services company WTW, luxury brands are often a prime target for ransomware because these types of companies typically hold sensitive data of high-worth individuals and corporations.

WTW says victims would rather pay the ransomware than risk reputational damage as a result of that data being leaked to the public.

Valentino luxury clothing brand
Image by J. Lekavicius | Shutterstock

Last February, 790,000 customers ended up on a hacker forum after Dorben Group, a key partner for Valentino, Creed, and Michael Kors luxury brands in Latin America, was hit by cybercriminals.

ADVERTISEMENT

Earlier this week, international luxury travel retailer Duty Free Americas (DFA) also suffered an attack at the hands of the Black Basta ransomware group, who claimed to have exfiltrated 1.5TB of sensitive information from the company networks.

The gang posted an alleged cache of stolen data samples on its dark leak site, which included dozens of passports, driver's licenses, and credit card account numbers, even of C-suite executives from the family-owned conglomerate.

"Nothing is 100% secure," said McConechy. "Security controls are essential, but organizations must make plans for when they do get breached. These plans must detail everyone’s responsibilities, plus mitigation strategies to help with recovery efforts and safeguard business continuity,” he said.