Carnival Cruises to pay $1.25 million fine for 2019 data breach
Carnival Cruises has agreed to pay a $1.25 million fine after being sued by 46 attorneys general for its handling of a 2019 data breach that leaked information from 180,000 Carnival employees and customers across the country.
The breach was disclosed by the company in March 2020 and involved names, Social Security numbers, addresses, passport numbers, driver’s license numbers, payment card information and health information. Thousands of people from each state were affected by the breach.
Hackers gained access to Carnival employee email accounts, giving them wide access to customer information. The company faced public backlash after revealing that they discovered the breach in May 2019, 10 months before they told the public.
“When personal data is exposed to bad actors, it’s essential that consumers are notified as quickly as possible,” said Pennsylvania Attorney General Josh Shapiro. “Added delays increase the possibility of that personal data being used for nefarious purposes.”
The attorneys general noted that Carnival was storing personal information in emails and was using “other disorganized methods” to handle sensitive data. Data practices like this make breach notifications more difficult, according to Shapiro.
New York Attorney General Letitia James said Carnival Cruise Line “failed to securely dock and safeguard thousands of consumers’ personal information.”
“In today’s digital age, companies must shore up their data privacy measures to protect consumers from fraud,” James said. “New Yorkers on vacation should not have to worry about their personal information being exposed.”
Most states are receiving between $10,000 to $70,000. Alongside the financial penalties, Carnival agreed to implement a breach response plan, institute an email training program for employees, undergo independent information security assessments and more.
“This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information,” Connecticut Attorney General William Tong said.
“Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”