Expensive week for Carnival Corp: a $1.25 million settlement with states over one breach, then a $5 million settlement with New York for violating state cybersecurity regulation
It seems this was the week for following up on Carnival Corporation breaches. Earlier this week, state attorneys general announced a $1.25 million multistate settlement with the cruise line over a 2019 data breach first disclosed in 2020. But there was other news concerning the cruise line this week, too.
On Friday, the New York State Department of Financial Services settled charges against Carnival Corporation with a $5 million monetary penalty and consent order for violating New York’s Cybersecurity Regulation. Carnival’s failure to deploy Multi-Factor Authentication as well as other violations contributed to Carnival having four cybersecurity incidents. The first incident is the 2019 one disclosed in 2020 that resulted in a settlement with states this week. But there were also three other incidents after that, which are all described in the consent order (one of which had been noted on DataBreaches in 2021). Two of the four incidents were ransomware incidents.
The state’s press release explains, in part:
The Department’s investigation uncovered, among other things, that the Carnival Companies violated the DFS Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”), failing to promptly report the first Cybersecurity Event to the Department as required by the Regulation, and failing to conduct adequate cybersecurity training for their personnel.
As a result of these failures, the Carnival Companies cybersecurity compliance certifications for the calendar years 2018 through 2020 were improper. The delay in MFA implementation, together with the training and reporting failures, left Carnival Companies’ Information Systems and their consumers’ Non-Personal Information (“NPI”) extremely vulnerable to bad actors.
Carnival was subject to New York DFS’s Cybersecurity Regulation because at the time of the incidents, Carnival Companies were licensed insurance producers in New York State and sold various insurance products. That part of their business operations brought them under DFS’s Cybersecurity Regulation.
In connection with the settlement, the Carnival Companies surrendered the insurance producer licenses, and the Department has accepted their surrender. As a result, the Carnival Companies have ceased selling insurance in the State of New York.