This audio is generated automatically. Please let us know if you have any comments.
- The New York State Department of Financial Services imposed a $5 million fine on Carnival Corp. for multiple breaches committed in four cybersecurity incidents – including two ransomware attacks – between 2019 and 2021.
- The regulator found that the cruise line had not implemented multi-factor authentication; promptly disclose the first incident of 2019 to regulators; and providing adequate cybersecurity training to employees.
- Carnival has reached a separate $1.25 million settlement with 45 state and local attorneys general in the United States for allegedly failing to protect the personal information of 180,000 customers and employees.
Overview of the dive:
New York state regulators have cracked down on data protection and enforcement in recent years, with an official familiar with the agency calling cybersecurity an “important departmental priority.”
Carnival has been hit by a series of phishing or brute force attacks, which the company’s security operations team first suspected in May 2019. The compromised email accounts were used to send spam to other internal accounts, according to a consent order between the company and the regulator.
The threat actors accessed 124 employee email accounts hosted primarily on a Microsoft Office 365 platform and sent phishing emails to other employee accounts, according to the order.
Carnival did not report the incident to New York regulators until April 2020, even though the agency’s cybersecurity regulations on banks and insurers were imposed in 2017. Carnival was registered to sell life, health and accident insurance products in New York, and the state’s financial regulator supervised banks and insurers operating in the state.
The attacks revealed the victims’ names, addresses, passport numbers, driver’s licenses and, in a smaller number of cases, social security numbers and credit card information.
Carnival later reported ransomware attacks in August 2020 and January 2021. The company discovered a malware attack on Christmas Day 2020 that resulted in the encryption of several Costa Cruises computer systems, in accordance with the consent order.
A fourth incident, linked to a phishing attack in March 2021, affected cruise lines Carnival, Holland and Princess.
Due to four incidents in three years, the regulator found that Carnival failed to provide adequate cybersecurity training to employees. The regulator found that Carnival’s CISO made timely but inappropriate certifications for the years 2018, 2019 and 2020.
“The settlement resolves investigations into prior incidents in 2019 and 2021 involving unauthorized access to a small number of employee email accounts, as well as two past ransomware attacks,” the company said in a statement. “Privacy and data protection are extremely important to Carnival Corporation and its brands, which have cooperated fully with the investigations.”
The company said it entered into the agreements solely to resolve the issues and does not admit any wrongdoing or wrongdoing.
Carnival said it “regularly reviews security and privacy policies and procedures” and implements changes as needed to improve information security and privacy controls.
Asked specifically about governance changes related to cybersecurity, a Carnival spokesperson said the company has “strong board-level oversight,” adding that Carnival has brought in high-level talent to oversee the CIO function at the corporate level.
As a result of the DFS investigation, Carnival relinquished its license to sell insurance in New York. The company also cannot use insurance reimbursement to cover the cost of DFS penalties.
As part of the multi-state GA agreement, Carnival has agreed to several provisions, including implementing a breach notification and response plan, implementing security training email, multi-factor authentication for remote email access and undergoes independent information security assessment.