ALBANY, N.Y. (WTEN) Attorney General Letitia James, along with 45 other attorneys general, announced Thursday that they have reached a $1.25 million multistate settlement with Carnival Cruise Line after a 2019 data breach exposed the personal information of around 180,000 Carnival employees and customers.

Over 6,000 New Yorkers were impacted by the breach. Carnival will pay New York State more than $44,000 in penalties.

In March 2020, Carnival publicly reported a data breach in which an unauthorized user gained access to Carnival employee e-mail accounts and personal information. According to breach notifications, Carnival was aware of suspicious email activity in May of 2019, nearly 10 months before they reported it.

“Carnival Cruise Line failed to securely dock and safeguard thousands of consumers’ personal information,” said Attorney General James. “In today’s digital age, companies must shore up their data privacy measures to protect consumers from fraud. New Yorkers on vacation should not have to worry about their personal information being exposed. Today’s agreement will require Carnival to turn the tide on its reckless data security practices.”

As part of the settlement, Carnival has agreed to a series of provisions meant to strengthen its email security and breach response practices. The provisions aim to curb lax security practices that led to the breach in the first place and prevent similar security issues in the future.

Provisions:

  • Implementation and maintenance of breach response and notification plan.
  • Email security training requirements for employees, including dedicated phishing exercises.
  • Multi-factor authentication for remote email access.
  • Password policies and procedures require the use of strong, complex passwords, password rotation, and secure password storage.
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network.
  • Consistent with past data breach settlements, undergoing an independent information security assessment.