Carnival must change its security and breach practices
The Attorney General’s Office announced a multi-state settlement with Florida-based Carnival Cruise Line following a 2019 data breach involving the personal information of approximately 180,000 Carnival employees and customers nationwide. . As part of the settlement, Carnival is to strengthen its email security and breach response practices. The company must also pay the states a total of $1.25 million, of which Vermont will receive $10,000.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to the email accounts of some Carnival employees. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of social security numbers. The investigation found that 163 Vermont residents were affected by the breach.
Breach notifications sent to the attorneys general’s offices said Carnival first became aware of suspicious email activity in late May 2019, about 10 months before Carnival reported the breach. A multi-state investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.
“Unstructured” data breaches like the Carnival breach involve personal information stored through email and other disorganized platforms. Companies lack visibility into this data, which makes breach notification more difficult and the risk to consumers increases with delays.
As part of the settlement, Carnival agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. These include:
- Implementing and maintaining a breach response and notification plan;
- Email security training requirements for employees, including dedicated phishing drills;
- Multi-factor authentication for remote email access;
- Password policies and procedures requiring the use of strong and complex passwords, password rotation, and secure password storage;
- Maintenance of improved behavior analysis tools to record and monitor potential security events on the corporate network; and
- In accordance with previous data breach regulations, subject to an independent information security assessment.
Vermont is joined in today’s settlement by the attorneys general of Alabama, Arizona, Arkansas, Ohio and North Carolina, and joined by Alaska, the Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana , Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Virginia -Western, Wisconsin and Wyoming.
A copy of the settlement agreement is available here.
Contact: Lauren Jandl, Chief of Staff, 802-828-3171
Last modification: June 28, 2022