On June 24, 2022, the New York Superintendent of the Department of Financial Services (DFS), Adrienne Harris, announced that a $5 million penalty was imposed upon Carnival Corporation d/b/a Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seaborn Cruise Line and Costa Cruise Lines (the Carnival Companies) for violating New York’s first-in-the-nation Cybersecurity Regulation, 23 NY CRR § 500. New York’s DFTS Cybersecurity Regulation was initially implemented in March 2017, and after receiving input from nearly 200 cybersecurity experts and regulated banking and insurance companies, became fully effective in March 2019.
According to the NY DFS, its investigation of Carnival Companies uncovered evidence that the companies had four separate cybersecurity events between 2019 and 2021 involving unauthorized access of the companies’ information systems, including two ransomware attacks, which led to the exposure of customers’ sensitive, non-public and personal information (NPI). Based on these findings, the DFS determined that the Carnival Companies violated several Regulation provisions when it failed to implement multi-factor authentication as a “first line of defense” (Section 500.12(b)); failed to notify the DFS of a cybersecurity event within 72 hours (Section 500.17(a)); and failed to adequately provide cybersecurity awareness training for all personnel (Section 500.14(a)).
The NY DFS also requires companies to implement risk-based policies, procedures and controls that detect unauthorized access of their systems (Section 500.14(a)) and certify annually that they are in compliance with NY cybersecurity regulations (Section 500.17(b)). Based on its discovery of cybersecurity events associated with Carnival Companies’ systems in 2019, 2020 and 2021, the DFS determined that the companies failed to implement adequate risk-based policies and procedures between 2019 and 2021 and improperly certified in each of these years that their cybersecurity program was in compliance with NY cybersecurity regulations.
On June 23, 2022, the Connecticut Office of the Attorney General, along with 45 other attorneys generals, also announced a separate $1.25 million multistate settlement with Carnival Cruise Line (Carnival) that was reached in response to a 2019 data breach of Carnival’s system that compromised the personal information of approximately 180,000 Carnival employees and customers nationwide. The 2019 breach referenced in the multistate settlement is the first of the four breaches discovered during the NY DFS investigation.
According to the Connecticut AG, Carnival first became aware of the breach when it noticed suspicious email activity in late May of 2019 and discovered that an unauthorized actor had gained access to certain Carnival employee email accounts that were used to access the NPI of both employees and customers. The CT AG reports that Carnival did not report the breach to authorities until March 2020, approximately 10 months after the breach occurred. A multi-state investigation revealed that Carnival suffered an “unstructured” data breach involving personal information stored on email and other disorganized platforms, which made the breach notification especially challenging and resulted in delayed notifications that increased the affected consumers’ risk of exposure to financial crime.
In addition to the monetary award, under the multistate settlement, Carnival agreed to undergo an independent information security assessment and strengthen its email and breach response practices. Carnival also agreed to make additional security enhancements including the implementation of a breach response and notification plan, employee training on email security, multi-factor authentication for remote email access, greater password policies and procedures, and maintain an enhanced behavior analytics tool that will monitor the company’s network for potential security events.