Carnival Cruise To Pay $1.25 Million Settlement, $30,000 to Pennsylvania

Carnival Cruise has agreed to pay a settlement to multiple states after a mishandled data breach.

According to a release from the Pennsylvania Attorney General’s Office, a coalition of 46 attorneys general, including AG Josh Shapiro, has settled a multistate complaint against Carnival Cruise for $1.25 million. This settlement is for a 2019 data breach of personal information involving 180,000 Carnival employees and consumers around the nation. The state of Pennsylvania is to receive $28,890.75 from the settlement.

“When personal data is exposed to bad actors, it’s essential that consumers are notified as quickly as possible,” said AG Shapiro. “Added delays increase the possibility of that personal data being used for nefarious purposes. With today’s settlement, Carnival has agreed to make important changes to the way they do business that will better protect consumers and ensure if the worst is to happen again, consumers learn about it as soon as possible.”

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to Carnival employee email accounts. The breach exposed sensitive personal information, including names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a small number of social security numbers. 3,794 Pennsylvanians were impacted by the data breach.

The Carnival Cruise data breach involved personal information stored via email and other disorganized methods. Data stored in this way lacks visibility, making awareness of security breaches more difficult and raising consumer risk as more time passes before the breach is realized.

Attorney General offices were notified that Carnival first became aware of suspicious email activity in May 2019, 10 months before Carnival reported the breach. A multistate investigation was launched, focusing on Carnival’s email security practices and compliance with state breach notification statutes.

Under the settlement, Carnival has agreed to a series of changes designed to strengthen its email security and breach response practices going forward. They include:

  • Implementation and maintenance of a breach response and notification plan.
  • Email security training requirements for employees, including dedicated phishing exercises.
  • Multi-factor authentication for remote email access.
  • Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage.
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network.
  • Consistent with past data breach settlements, undergoing an independent information security assessment.

The Pennsylvania Office of Attorney General assisted in an investigation co-led by Connecticut, Florida, and Washington, with additional assistance from Alabama, Arizona, Arkansas, Ohio, and North Carolina, and joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.

Keep up to date on Pocono news, art, and events by following us on the Newsbreak app.

Have a news tip? Report it to (570) 451-NEWS.