$1.25M settlement in Carnival Cruise data breach

$1.25M settlement in Carnival Cruise data breach

ALBANY, N.Y. (WTEN) – Attorney General Letitia James, along with 45 other attorneys general, announced Thursday that they have reached a $1.25 million multistate settlement with Carnival Cruise Line after a 2019 data breach exposed the personal information of around 180,000 Carnival employees and customers.

Over 6,000 New Yorkers were impacted by the breach. Carnival will pay New York State more than $44,000 in penalties.

Get the latest local news, weather, sports, and entertainment sent to your inbox!

In March 2020, Carnival publicly reported a data breach in which an unauthorized user attained access to Carnival employee e-mail accounts and personal information. According to breach notifications, Carnival was aware of suspicious email activity in May of 2019, nearly 10 months before they reported it.

“Carnival Cruise Line failed to securely dock and safeguard thousands of consumers’ personal information,” said Attorney General James. “In today’s digital age, companies must shore up their data privacy measures to protect consumers from fraud. New Yorkers on vacation should not have to worry about their personal information being exposed. Today’s agreement will require Carnival to turn the tide on its reckless data security practices.”

Hudson Valley law enforcement take down multi-county drug ring

As part of the settlement, Carnival has agreed to a series of provisions meant to strengthen its email security and breach response practices. The provisions aim to curb lax security practices that led to the breach in the first place and prevent similar security issues in the future.


  • Implementation and maintenance of a breach response and notification plan.
  • Email security training requirements for employees, including dedicated phishing exercises.
  • Multi-factor authentication for far away email access.
  • Password policies and procedures requiring the use of strong, complicate passwords, password rotation, and obtain password storage.
  • Maintenance of enhanced behavior analytics tools to log and monitor possible security events on the company’s network.
  • Consistent with past data breach settlements, undergoing an independent information security assessment.

Click: See details

leave your comment