IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Carnival hit with $5 million fine over cyber security violations

The cruise line operator was criticised for failing to implement multi-factor authentication and failing to conduct cyber security training for its staff

The cruise line operator Carnival Corporation was fined $5 million last Friday over violating New York’s cyber security laws.

The company will pay the penalty to New York State for violations of the Cybersecurity Regulation which caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, said New York State’s Department of Financial Services (DFS). Carnival’s brands include Seabourn, Princess, and Holland America.

The department’s investigation found evidence that Carnival had been subject to four cyber security events between 2019 and 2021, including two ransomware attacks. They involved the unauthorised access of the companies’ information systems, leading to the exposure of customers’ sensitive personal data.

The investigation also found that Carnival violated the DFS Cybersecurity Regulation by failing to implement multi-factor authentication (MFA), failing to report the first event to the department as required promptly, and failing to conduct adequate cyber security training for personnel.

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information,” said Adrienne A. Harris, Superintendent of the DFS. “DFS will continue diligently enforcing its first-in-the-nation Cybersecurity Regulation to ensure that consumers’ personal, non-public, and sensitive data are protected.”   

As a result of these failures, the DFS said that Carnival’s cyber security compliance certification between 2018 and 2020 was improper. The delay in MFA implementation, together with the training and reporting failures, left Carnival’s systems and their consumers’ Non-Personal Information (NPI) extremely vulnerable to bad actors.

Additionally, Carnival’s companies were licensed insurance producers in New York State at the time of the incidents. They sold several insurance products and were subject to DFS’s Cybersecurity Regulation. As part of the settlement, Carnival surrendered the insurance producer licence and ceased selling insurance in the state.

IT Pro has contacted Carnival for comment.

Last week, Carnival also reached a $1.25 million settlement with 45 state attorneys general and the District of Columbia stemming from its 2019 data breach, according to Compliance Week. The breach involved the personal information of 180,000 employees and customers nationwide.

In March 2020, the company reported the breach which exposed information like names, addresses, passport numbers, driver's licenses, payment card information, and Social Security numbers. However, it stated it first became aware of suspicious email activity in May 2019, 10 months before publicly declaring the incident. As a result, a multistate probe was launched, focusing on the company's email security practices.

What is the New York State Cybersecurity Regulation?

Related Resource

Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely

Whitepaper cover with image of female employee working at home on laptopFree Download

The Cybersecurity Regulation rules were released in March 2017 before they became fully effective in March 2019. It was drafted with industry input, with the DFS surveying around 200 regulated banking institutions and insurance companies. It also met with a cross-section of respondents and cyber security experts during the drafting period and facilitated two rounds of notice and comment. The regulation became fully effective in March 2019.

The Cybersecurity Regulation imposes cyber security rules on covered organisations, including installing a detailed cyber security plan, designating a Chief Information Security Officer, and maintaining a reporting system for cyber security events.

Individuals and entities required to comply with it include partnerships and organisations that operate under a licence or similar authorisation under the banking law, insurance law, or the financial services law in the state of New York.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Google adds stronger safeguards for Workspace accounts
collaboration

Google adds stronger safeguards for Workspace accounts

11 Aug 2022
DoD taps up Torch.AI to strengthen cyber security capabilities
cyber security

DoD taps up Torch.AI to strengthen cyber security capabilities

11 Aug 2022
FedEx to invest in more robotic automation from Berkshire Grey
Business strategy

FedEx to invest in more robotic automation from Berkshire Grey

4 Aug 2022
Romanian man extradited to US over Gozi virus hacking charges
malware

Romanian man extradited to US over Gozi virus hacking charges

20 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022