top of page

Carnival fined $5M for cybersecurity lapses

The New York State Department of Financial Services (NYSDFS) announced a $5 million fine against Carnival Corporation on Friday for "significant" cybersecurity failures, including the failure to implement basic cybersecurity protocols, which resulted in four separate data breaches between 2019 and 2021.

According to a consent order reached in April 2020 with Carnival Corporation ("Carnival") and its subsidiaries (Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Lines, and Costa Cruise Lines), the company reported a cybersecurity incident in which "one or more unauthorised parties gained access to 124 employee email accounts."

According to the settlement agreement and an internal assessment conducted by Carnival, the initial hack was likely caused by a phishing email or password spraying.

Between August 2020 and March 2021, three further breaches occurred, including two ransomware assaults and a phishing campaign.

The corporation violated the DSF's cybersecurity rule by failing to notify the initial incident for 10 months, implementing multi-factor authentication inside its internal email policy, and adequately training staff on cybersecurity best practises.

According to the agency, the company's cybersecurity compliance certificates for calendar years 2018 through 2020 were invalid due to these errors.

Carnival was a licenced insurance producer in New York at the time of the occurrences, offered a variety of insurance products, and was subject to DFS's cybersecurity regulation. Carnival agreed to relinquish its insurance licences and halt insurance sales in New York.

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information,” said NYSDFS Superintendent Adrienne Harris. “DFS will continue diligently enforcing its first-in-the-nation cybersecurity regulation to ensure that consumers’ personal, nonpublic, and sensitive data are protected.”

The fine is a result of the $1.25 million settlement Carnival reached with 45 state attorneys general and the District of Columbia in connection with its 2019 data breach.

Company representatives did not reply to a request for comment.



bottom of page