Dive Brief:
- The New York State Department of Financial Services imposed a $5 million penalty on Carnival Corp. for multiple violations committed in connection with four cybersecurity incidents — including two ransomware attacks — between 2019 and 2021.
- The regulator found the cruise line failed to implement multifactor authentication; promptly disclose the first incident from 2019 to regulators; and conduct adequate cybersecurity training for employees.
- Carnival reached a separate $1.25 million settlement with 45 state and local attorneys general in the U.S. for allegedly failing to safeguard the personal information of 180,000 customers and employees.
Dive Insight:
New York state regulators have cracked down on data protection and enforcement in recent years, with one official familiar with the agency calling cybersecurity a “significant departmental priority.”
Carnival was hit in a series of phishing or brute force attacks, which the company’s security operations team first suspected in May 2019. The compromised email accounts were used to send out spam to other internal accounts, according to a consent order between the company and regulator.
Threat actors accessed 124 employee email accounts hosted primarily on a Microsoft Office 365 platform and sent out phishing emails to other employee accounts, the order said.
Carnival did not report the incident to New York regulators until April 2020, even though the agency’s cybersecurity regulations on banks and insurers were imposed in 2017. Carnival was registered to sell life, health and accident insurance products in New York and the state financial regulator oversaw banking and insurance providers operating in the state.
The attacks exposed names, addresses, passport numbers, drivers licenses and in a smaller number of cases, the social security numbers and credit card information of victims.
Carnival later reported ransomware attacks in August 2020 and January 2021. The company discovered on Christmas Day 2020 a malware attack that resulted the encryption of several Costa Cruises computer systems, according to the consent order.
A fourth incident, linked to a phishing attack in March 2021, hit Carnival, Holland and Princess cruise lines.
Due to the four incidents within three years, the regulator found Carnival did not provide adequate cybersecurity training to employees. The regulator found that Carnival’s CISO made timely, but improper certifications for the years 2018, 2019 and 2020.
“The settlement resolves inquiries into prior incidents in 2019 and 2021 involving unauthorized access to a small number of employee email accounts, as well as two past ransomware attacks,” the company said in a statement. “Data privacy and protection are extremely important to Carnival Corporation and its brands, who cooperated fully with the investigations.”
The company said it entered into the agreements solely to resolve the matters and admits no fault or wrongdoing.
Carnival said it “routinely reviews security and privacy policies and procedures” and implements changes when necessary to enhance information security and privacy controls.
When asked specifically about changes in governance related to cybersecurity, a Carnival spokesperson said the company has “strong oversight at the Board of Directors level,” adding that Carnival brought in top executive-level talent to oversee the CIO function at a corporate level.
As a result of the DFS investigation, Carnival has surrendered its license to sell insurance in New York. The company also cannot use insurance reimbursement to cover the cost of the DFS penalties.
Under the settlement with multistate AGs, Carnival agreed to several provisions, including implementation of a breach response and notification plan, implement email security training, multifactor authentication for remote email access and is undergoing an independent information security assessment.
