Carnival reaches $1.25M settlement over 2019 data breach

By Jeff Dale2022-06-23T19:33:00+01:00

No comments

Carnival Cruise Line reached a $1.25 million settlement Wednesday with 45 state attorneys general and the District of Columbia stemming from its 2019 data breach that involved the personal information of 180,000 Carnival employees and customers nationwide.

In March 2020, Carnival, through subsidiaries Holland America Line and Princess Cruises, reported the breach, in which names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a small number of Social Security numbers were exposed.

Carnival said it first became aware of suspicious email activity in May 2019, 10 months before publicly announcing the incident. A multistate probe was launched, focusing on Carnival’s email security practices and compliance with data breach statutes.

On Wednesday, Carnival agreed to pay the fine for its alleged misconduct and comply with changes to strengthen its email security and breach response practices going forward, including:

Implementation and maintenance of a breach response and notification plan;
Email security training requirements for employees, including dedicated phishing exercises;
Multifactor authentication for remote email access;
Password policies and procedures requiring the use of strong passwords, password rotation, and secure password storage;
Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
Undergoing an independent information security assessment.

On top of these requirements, Carnival must employ a chief information security officer (CISO) going forward, according to the settlement. The CISO must have proper credentials, background, and expertise in information security and will oversee the implementation and maintenance of the company’s information security program.

“The CISO’s responsibilities shall also include reporting any security incident impacting 500 or more consumers in the United States to the chief executive officer, chief information officer, and chief operations officer within 48 hours of discovery,” the settlement stated. “The CISO shall report security incidents to the audit committee in accordance with Carnival’s incident response plan.”

The investigation was co-led by Connecticut, Florida, and Washington. Alabama, Arizona, Arkansas, Ohio, and North Carolina provided additional assistance and were joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.

Carnival did not respond to a request for comment.

Jeff DaleJeff Dale is the Digital Editor of Compliance Week. He previously worked as a copy editor with the Boston Herald and Patriot Ledger in Quincy, Mass., and is a former city editor of The Hour Publishing Co. in Norwalk, Conn.

Topics

No comments

Article
NYDFS penalizes Carnival $5M for cybersecurity failures
2022-06-27T16:18:00Z
The New York State Department of Financial Services announced a $5 million penalty against Carnival Corp. for “significant” cybersecurity failures, including not implementing basic protocols to prevent four separate data breaches from 2019-21.
Article
Carnival CECO Peter Anderson resigns
2022-05-19T16:49:00Z
Peter Anderson, Carnival’s first chief ethics and compliance officer and a central figure in leading the cruise line giant through its environmental compliance monitorship, has resigned. Richard Brilliant, Carnival’s chief audit officer, will replace Anderson in the new role of chief risk and compliance officer.
Article
Big week for breaches: McDonald’s, Carnival, and more
2021-06-18T19:20:00Z
Multiple high-profile companies—including Carnival, Wegmans, McDonald’s, Volkswagen, and CVS—have confirmed in recent days they were either victims of a data breach or were alerted to a gap in their security controls.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More Regulatory Enforcement

Article
Credit Suisse money laundering verdict start of new era of Swiss enforcement?
2022-07-01T17:58:00Z
Credit Suisse became the first major Swiss bank to be prosecuted for money laundering in the country after the Federal Criminal Court of Switzerland found the bank guilty of washing money connected to a Bulgarian drug smuggling syndicate.
Article
FINRA fines Barclays $2.8M over supervision, disclosure lapses
2022-07-01T16:36:00Z
Barclays Capital agreed to pay $2.8 million as part of a settlement with the Financial Industry Regulatory Authority for “failure to comply with customer confirmation and related supervision rules” that led to disclosure lapses.
Article
UBS to pay $25M over ‘inadequate’ training, oversight in SEC fraud case
2022-06-30T19:26:00Z
UBS Financial Services agreed to pay approximately $25 million to settle fraud charges brought by the SEC that cited “inadequate” training and supervisory oversight of the firm’s financial advisers regarding a complex options trading strategy.

Protect your company from cyber risks

Learn from the latest headlines and protect your company today

Carnival reaches $1.25M settlement over 2019 data breach

Topics

Related articles

NYDFS penalizes Carnival $5M for cybersecurity failures

Carnival CECO Peter Anderson resigns

Big week for breaches: McDonald’s, Carnival, and more

No comments yet

Only registered users can comment on this article.

More Regulatory Enforcement

Credit Suisse money laundering verdict start of new era of Swiss enforcement?

FINRA fines Barclays $2.8M over supervision, disclosure lapses

UBS to pay $25M over ‘inadequate’ training, oversight in SEC fraud case