Carnival Cruise Lines will disburse more than $6 million to end two separate lawsuits brought by 46 states in the US after sensitive personal information of customers and employees was accessed in a series of cyberattacks.
A couple of years ago, when the coronavirus pandemic was taking hold, the Miami-based business revealed that intruders had not only encrypted some of its data, but also downloaded a vast amount of data: names and addresses, information Social Security, driver’s license, and passport numbers. , and payment and health information for thousands of people in nearly every US state.
It all started going wrong over a year ago, when the cruise line became aware of suspicious activity in May 2019. Apparently, this wasn’t revealed until March 2020.
In 2019, the security operations team detected an internal email account that was sending spam to other addresses. It turned out that criminals had hijacked the Microsoft Office 365 email accounts of 124 employees and were using them to send phishing emails for more credentials. This, we are told, gave hackers access to the personal data of 180,000 Carnival employees and customers. The bad guys probably first got in using phishing emails or brute force passwords. Either way, there was no multi-factor authentication.
Then, in August 2020, the company said it was hit with the aforementioned ransomware and copies of its files were siphoned off. In January 2021, it was again infected with malware and again sensitive information was downloaded, specifically, passport numbers and dates of birth of customers, and credit card numbers of employees. And in March of that year, a staff member’s work email account was again compromised to send a phishing email. More sensitive information was exposed.
Late last week, the New York Department of Financial Services (DFS) announced that Carnival had agreed to pay $5 million to the state as a penalty for violating the New York Cyber Security Regulation. According to the Department, Carnival was careless in defending its computer systems and data, and in total “had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks.”
“A data breach that exposes personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on a person’s financial health,” DFS Superintendent Adrienne Harris said in a statement. release. statement. “It is critical that businesses take the appropriate steps to protect consumers’ personal information.”
It’s also important that anyone with compromised data be notified as quickly as possible after a breach, according to Connecticut Attorney General William Tong. A day before NY announced its punishment for Carnival, Connecticut and other US states announced that they had reached a $1.25 million settlement with Carnival for the 2019 cyberattack.
“This agreement sends the message that companies must take stock of the information they hold and take reasonable steps to protect that information,” Tong said in a statement. statement. “Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or affected individuals of a violation.”
Pennsylvania AG Josh Shapiro, who is running to become the state’s next governor, said that “additional delays increase the possibility that personal data will be used for nefarious purposes”.
In all 46 states, some of the plaintiffs launched a further investigation into Carnival’s email security practices, as well as whether the company complied with the network breach notification statutes in each of the states. The investigations were led by Pennsylvania, Connecticut, Florida and Washington, and assisted by Alabama, Arizona, Arkansas, Ohio and North Carolina. The other states joined the case.
As part of the multi-state agreement [PDF]Carnival has agreed to a number of steps to improve its email security, including requiring employee training, exercises focused on phishing, and the use of multi-factor authentication (MFA) for remote access to corporate email.
Other requirements involve passwords, including the use of strong and complex passwords, password rotation, and the use of secure password storage systems. This is in addition to the use of enhanced behavioral analytics tools to log and monitor potential security events on Carnival’s network, and the use of third-party security assessments.
The company must also implement and use a breach notification and response plan.
New York has been one of the most aggressive in the case. Its own investigation found that Carnival had violated the state’s cybersecurity laws that went into effect in March 2017. Those violations included a lack of MFA, poor employee cybersecurity training, and failing to promptly report the first security fiasco. cybernetics. All of that combined left company systems and customer information vulnerable to cybercriminals between 2018 and 2020, the state agency said.
At the time of the security incidents, Carnival, which also owns Costa, Cunard, Holland America, Princess and Seabourn, was licensed to sell insurance in New York, making it subject to DFS security regulations. As part of their agreement, Carnival gave up its insurance sales business in New York.
Register reached out to Carnival for a response, although none were received before publication time. That said, the company saying Reuters in a brief statement that it cooperated with New York officials and that privacy and data protection were important to the company. Carnival did not admit to any wrongdoing. ®