Carnival Corporation will pay a $5 million penalty to New York State for violations of the Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers.
The Department’s investigation uncovered evidence that the Carnival Companies had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
These Cybersecurity Events involved the unauthorized access of the companies’ information systems, leading to the exposure of customers’ sensitive, personal data. The Department’s investigation uncovered, among other things, that the Carnival Companies violated the DFS Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”), failing to promptly report the first Cybersecurity Event to the Department as required by the Regulation, and failing to conduct adequate cybersecurity training for their personnel.
As a result of these failures, the Carnival Companies cybersecurity compliance certifications for the calendar years 2018 through 2020 were improper. The delay in MFA implementation, together with the training and reporting failures, left Carnival Companies’ Information Systems and their consumers’ Non-Personal Information (“NPI”) extremely vulnerable to bad actors.
At the time of the incidents, the Carnival Companies were licensed insurance producers in New York State, sold various insurance products, and thus were subject to DFS’s Cybersecurity Regulation. In connection with the settlement, the Carnival Companies surrendered the insurance producer licenses, and the Department has accepted their surrender. As a result, the Carnival Companies have ceased selling insurance in the State of New York.
A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information
said Superintendent Harris.
