The New York State Department of Financial Services (NYDFS) announced a $5 million penalty Friday against Carnival Corp. for “significant” cybersecurity failures, including not implementing basic protocols to prevent four separate data breaches from 2019-21.

According to a consent order agreed to with Carnival and its subsidiaries (Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines), the company in April 2020 reported a 2019 cybersecurity event to the department in which “one or more unauthorized parties had gained access to 124 employee email accounts.”

After an internal investigation by Carnival, the company believed this first cyberattack occurred “due to a phishing email or password spray attack,” per the consent order.

Three additional breaches were reported by Carnival between August 2020 and March 2021, including two ransomware attacks and a phishing scheme.

The company failed to report the first incident for 10 months, implement multi-factor authentication within its internal email policy, and properly train employees on cybersecurity best practices, violating the NYDFS’s cybersecurity regulation.

As a result of these failures, the company’s cybersecurity compliance certifications for the calendar years 2018 through 2020 were improper, according to the regulator.

At the time of the incidents, Carnival was a licensed insurance producer in New York, sold various insurance products, and was subject to the NYDFS’s cybersecurity regulation. Carnival agreed to surrender its insurance licenses and cease selling insurance in New York.

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information,” said NYDFS Superintendent Adrienne Harris. “DFS will continue diligently enforcing its first-in-the-nation cybersecurity regulation to ensure that consumers’ personal, nonpublic, and sensitive data are protected.”

The penalty follows Carnival’s $1.25 million settlement with 45 state attorneys general and the District of Columbia stemming from its 2019 data breach.

The company did not respond to a request for comment.