Cybercrime

Carnival Cruises to pay $1.25 million fine for 2019 data breach

Carnival Cruises has agreed to pay a $1.25 million fine after being sued by 46 attorneys general for its handling of a 2019 data breach that leaked information from 180,000 Carnival employees and customers across the country. 

The breach was disclosed by the company in March 2020 and involved names, Social Security numbers, addresses, passport numbers, driver’s license numbers, payment card information and health information. Thousands of people from each state were affected by the breach. 

Hackers gained access to Carnival employee email accounts, giving them wide access to customer information. The company faced public backlash after revealing that they discovered the breach in May 2019, 10 months before they told the public. 

“When personal data is exposed to bad actors, it’s essential that consumers are notified as quickly as possible,” said Pennsylvania Attorney General Josh Shapiro. “Added delays increase the possibility of that personal data being used for nefarious purposes.”

The attorneys general noted that Carnival was storing personal information in emails and was using “other disorganized methods” to handle sensitive data. Data practices like this make breach notifications more difficult, according to Shapiro. 

New York Attorney General Letitia James said Carnival Cruise Line “failed to securely dock and safeguard thousands of consumers’ personal information.” 

“In today’s digital age, companies must shore up their data privacy measures to protect consumers from fraud,” James said. “New Yorkers on vacation should not have to worry about their personal information being exposed.”

Most states are receiving between $10,000 to $70,000. Alongside the financial penalties, Carnival agreed to implement a breach response plan, institute an email training program for employees, undergo independent information security assessments and more. 

“This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information,” Connecticut Attorney General William Tong said.

“Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

17 hours ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

19 hours ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

20 hours ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

20 hours ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

1 day ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

2 days ago