Talk about choppy waters! It was reported yesterday that New York fined Carnival cruise lines $5 million for multiple violations committed in connection with four cybersecurity incidents!
As reported by Cybersecurity Dive (Carnival to pay $5M for cyber violations to NY financial regulator, written by David Jones*), the New York State Department of Financial Services imposed a $5 million penalty on Carnival Corp. for multiple violations committed in connection with four cybersecurity incidents — including two ransomware attacks — between 2019 and 2021.
The regulator found the cruise line failed to implement multifactor authentication; promptly disclose the first incident from 2019 to regulators; and conduct adequate cybersecurity training for employees. Carnival reached a separate $1.25 million settlement with 45 state and local attorneys general in the U.S. for allegedly failing to safeguard the personal information of 180,000 customers and employees.
Carnival was hit in a series of phishing or brute force attacks, which the company’s security operations team first suspected in May 2019. The compromised email accounts were used to send out spam to other internal accounts, according to a consent order between the company and regulator.
Threat actors accessed 124 employee email accounts hosted primarily on a Microsoft Office 365 platform and sent out phishing emails to other employee accounts, the order said.
Carnival did not report the incident to New York regulators until April 2020, even though the agency’s cybersecurity regulations on banks and insurers were imposed in 2017. Carnival was registered to sell life, health and accident insurance products in New York and the state financial regulator oversaw banking and insurance providers operating in the state, which was the basis for the fact that New York fined Carnival.
The attacks exposed names, addresses, passport numbers, driver’s licenses and in a smaller number of cases, the social security numbers and credit card information of victims.
Carnival later reported ransomware attacks in August 2020 and January 2021. The company discovered on Christmas Day 2020 a malware attack that resulted the encryption of several Costa Cruises computer systems, according to the consent order.
A fourth incident, linked to a phishing attack in March 2021, hit Carnival, Holland and Princess cruise lines.
Due to the four incidents within three years, the regulator found Carnival did not provide adequate cybersecurity training to employees. The regulator found that Carnival’s CISO made timely, but improper certifications for the years 2018, 2019 and 2020. The company said it entered into the agreements solely to resolve the matters and admits no fault or wrongdoing.
In addition to the fact that New York fined Carnival, Carnival has also surrendered its license to sell insurance in New York. The company also cannot use insurance reimbursement to cover the cost of the DFS penalties.
So, what do you think? Are you surprised that New York fined Carnival, or surprised that they didn’t give them a bigger fine? Please share any comments you might have or if you’d like to know more about a particular topic.
*Only a guy named “Davy Jones” could write about a cruise line in trouble. See what I did there? 😉
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.