The New York State Department of Financial Services (NYDFS) announced a $5 million penalty Friday against Carnival Corp. for “significant” cybersecurity failures, including not implementing basic protocols to prevent four separate data breaches from 2019-21.
According to a consent order agreed to with Carnival and its subsidiaries (Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines), the company in April 2020 reported a 2019 cybersecurity event to the department in which “one or more unauthorized parties had gained access to 124 employee email accounts.”
