Carnival hit with $5 million fine over cyber security violations

The cruise line operator Carnival Corporation was fined $5 million last Friday over violating New York’s cyber security laws.

The company will pay the penalty to New York State for violations of the Cybersecurity Regulation which caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, said New York State’s Department of Financial Services (DFS). Carnival’s brands include Seabourn, Princess, and Holland America.

The department’s investigation found evidence that Carnival had been subject to four cyber security events between 2019 and 2021, including two ransomware attacks. They involved the unauthorised access of the companies’ information systems, leading to the exposure of customers’ sensitive personal data.

The investigation also found that Carnival violated the DFS Cybersecurity Regulation by failing to implement multi-factor authentication (MFA), failing to report the first event to the department as required promptly, and failing to conduct adequate cyber security training for personnel.

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information,” said Adrienne A. Harris, Superintendent of the DFS. “DFS will continue diligently enforcing its first-in-the-nation Cybersecurity Regulation to ensure that consumers’ personal, non-public, and sensitive data are protected.”

As a result of these failures, the DFS said that Carnival’s cyber security compliance certification between 2018 and 2020 was improper. The delay in MFA implementation, together with the training and reporting failures, left Carnival’s systems and their consumers’ Non-Personal Information (NPI) extremely vulnerable to bad actors.

Additionally, Carnival’s companies were licensed insurance producers in New York State at the time of the incidents. They sold several insurance products and were subject to DFS’s Cybersecurity Regulation. As part of the settlement, Carnival surrendered the insurance producer licence and ceased selling insurance in the state.

IT Pro has contacted Carnival for comment.

Last week, Carnival also reached a $1.25 million settlement with 45 state attorneys general and the District of Columbia stemming from its 2019 data breach, according to Compliance Week. The breach involved the personal information of 180,000 employees and customers nationwide.

In March 2020, the company reported the breach which exposed information like names, addresses, passport numbers, driver's licenses, payment card information, and Social Security numbers. However, it stated it first became aware of suspicious email activity in May 2019, 10 months before publicly declaring the incident. As a result, a multistate probe was launched, focusing on the company's email security practices.

What is the New York State Cybersecurity Regulation?

The Cybersecurity Regulation rules were released in March 2017 before they became fully effective in March 2019. It was drafted with industry input, with the DFS surveying around 200 regulated banking institutions and insurance companies. It also met with a cross-section of respondents and cyber security experts during the drafting period and facilitated two rounds of notice and comment. The regulation became fully effective in March 2019.

The Cybersecurity Regulation imposes cyber security rules on covered organisations, including installing a detailed cyber security plan, designating a Chief Information Security Officer, and maintaining a reporting system for cyber security events.

Individuals and entities required to comply with it include partnerships and organisations that operate under a licence or similar authorisation under the banking law, insurance law, or the financial services law in the state of New York.