BALTIMORE, MD—Maryland Attorney General Brian E. Frosh on Wednesday announced that Maryland, along with 45 other states, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee email accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and, in a few instances, Social Security Numbers.
Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May 2019 – approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.
“Consumers must be notified of a data breach involving their personal information as soon as possible so that they can take the appropriate steps to protect themselves,” said Attorney General Frosh. “Businesses must quickly identify the personal information they have stockpiled and promptly notify consumers if a breach occurs. Delayed notification of data breaches increases the risk to consumers.”
Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. Those include:
- Implementing and maintaining a breach response and notification plan;
- Requiring email security training for employees, including dedicated phishing exercises;
- Employing specific security safeguards including multi-factor authentication for remote email access; the use of strong, complex passwords, password rotation, and secure password storage; enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
- Undergoing an independent information security assessment.
In addition to Maryland, the states participating in this settlement include Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Washington, Wisconsin, and Wyoming.
Photo by Sora Shimazaki from Pexels
