Attorney General James along with 45 attorneys general today recovered $1.25 million from Carnival Cruise Line (Carnival) for compromising the personal information of thousands of employees and consumers because of poor internal security practices.
A 2019 data breach exposed the personal information of 180,000 Carnival employees and customers nationwide, including 6,575 New Yorkers. Carnival will pay New York $44,092.12 in penalties.
“Carnival Cruise Line failed to securely dock and safeguard thousands of consumers’ personal information,” said Attorney General James. “In today’s digital age, companies must shore up their data privacy measures to protect consumers from fraud. New Yorkers on vacation should not have to worry about their personal information being exposed. Today’s agreement will require Carnival to turn the tide on its reckless data security practices.”
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee email accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security numbers.
Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019 — approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes. “Unstructured” data breaches, like the Carnival breach, involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.
Under today’s settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward, including:
- Implementing and maintaining a breach response and notification plan;
- Requiring email security training for employees, including dedicated phishing exercises;
- Instituting multi-factor authentication for remote email access;
- Requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures;
- Maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and,
- Undergoing an independent information security assessment, consistent with past data breach settlements.
New York joined the investigation and settlement with Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
This matter was handled by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger.
The Bureau of Internet and Technology is part of the Division of Economic Justice and led by Chief Deputy Attorney General Chris D’Angelo.
The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.