Carnival Cruise Line has agreed with 46 different attorney generals on a 1.25 million dollar settlement. The settlement stems from a data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide.
In August 2020, Carnival reported a data breach in which a person or organization gained access to certain Carnival employee e-mail accounts.
The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and Social Security Numbers.
Carnival Cruise Line To Pay $1.25 Million Over Data Breach
Carnival cruise line has entered a settlement agreement with 46 different attorney generals throughout the United States. The settlement comes from a data breach widely reported at the time.
The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers.
In March 2020, Carnival stated that it acted quickly to shut down the intrusion and restore operations. At that time, the company did preventive maintenance work to prevent further unauthorized access, hired a cybersecurity firm to investigate the matter, and notified the relevant authorities.
As it turns out, the breach happened already before August of 2020, possibly as early as May of 2019, according to a press release from the group of 46 attorney generals:
“Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019 — approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.”
The breach that happened with Carnival Cruise Line and its sister lines was an unstructured data breach. These types of breaches are typically what happens when employees store sensitive information in emails or other unsecured platforms, and this data falls in the wrong hands.
Carnival To Implement Several Security Responses
Besides the $1.25 million dollars fine, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices. Those include:
- Implementing a breach response plan
- Email security training for employees, including training to spot possible phishing attempts
- Multi-factor authentication for remote email access;
- A review of the password policies within the company
- Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
- Log and monitor potential security events on the company’s network; and
- Undergoing an independent information security assessment.
In the last two years, Carnival Cruise Line and Carnival Corporation have come under intense scrutiny following several data breaches, cyberattacks, and ransomware attacks. All of which had some impact on the affected cruise lines and cruise ships.
In August of 2020, Carnival Corporation was hit by a ransomware attack. During this attack, several files were encrypted and downloaded. At the time, P&O Cruises and sister line Cunard Line both posted updates of an issue with IT systems and even phone lines.
On December 29, 2020, AIDA Cruises, the German cruise operator owned by Carnival Corporation, went through a cyberattack that brought down the company’s phone lines and several IT systems.
In March of 2021, Carnival Cruise Line suffered another data breach. The breach affected the personal information of some guests, employees, and crew for Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations.
At worst, a well-placed cyberattack could lead to safety issues for guests, crew, and the vessel itself, especially with ships becoming increasingly dependent on cloud interfacing.