Skip links

Carnival Cruises torpedoed by US states, agrees to pay $6m after waves of cyber attacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive personal information on customers and employees was accessed in a string of cyber attacks.

A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a trove of data – names and addresses, Social Security info, driver’s license and passport numbers, and health and payment information for thousands of people in almost every American state.

It all started to go wrong more than a year earlier, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn’t disclosed until March 2020.

Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we’re told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It’s likely the baddies first broke in using phishing mails or brute-forcing passwords. Either way, there was no multi-factor authentication.

Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer’s work email account was compromised again to send out a phishing email. More sensitive information was exposed.

Late last week, New York’s Department of Financial Services (DFS) announced Carnival had agreed to pay $5 million to the state as a penalty for falling foul of NY’s Cybersecurity Regulation. According to the Dept, Carnival was slipshod in defending its computer systems and data, and in all “had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks.”

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health,” DFS Superintendent Adrienne Harris declared in a statement. “It is critical that companies take appropriate action to protect consumers’ personal information.”

It’s also important that anyone with compromised data is notified as quickly as possible following a breach, according to Connecticut AG William Tong. A day before NY announced its punishment for Carnival, Connecticut and a bunch of other US states announced they had reached a $1.25m settlement with Carnival regarding the 2019 cyber attack.

“This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information,” Tong argued in a statement. “Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”

Pennsylvania AG Josh Shapiro, who is running to become the state’s next governor, said that “added delays increase the possibility of that personal data being used for nefarious purposes.”

Across the 46 states, some of the plaintiffs launched a deeper investigation into Carnival’s email security practices as well as whether the company complied with network breach notification statutes in each of the states. The investigations were led by Pennsylvania, Connecticut, Florida, and Washington, and assisted by Alabama, Arizona, Arkansas, Ohio and North Carolina. The remaining states joined the case.

As part of the multi-state deal [PDF], Carnival agreed to a series of steps to improve its email security, including requiring training for employees, exercises focusing on phishing, and using multi-factor authentication (MFA) for remote access to corporate email.

Other requirements involve passwords, including requiring the use of strong and complex passwords, rotating passwords, and using secure password storage systems. This is in addition to using enhanced behavior analytics tools to log and monitor possible security events on Carnival’s network, and using third-party security assessments.

The company also must implement and use a breach response and notification plan.

New York has been one of the most aggressive in the case. Its own investigation found that Carnival had violated the state’s computer security laws that went into effect in March 2017. Those violations included a lack of MFA, poor employee cybersecurity training, and failing to promptly report the first cybersecurity fiasco. All of that combined left the company’s systems and customer information vulnerable to cybercriminals between 2018 and 2020, the state agency said.

At the time of the security incidents, Carnival – which also owns Costa, Cunard, Holland America, Princess and Seabourn – was licensed to sell insurance in New York, which made it subject to DFS’s security regulations. As part of its settlement, Carnival gave up its insurance-selling business in New York.

The Register has reached out to Carnival for a response, though none was received before publication time. That said, the company told Reuters in a brief statement that it cooperated with New York officials and that data privacy and protection were important to the company. Carnival didn’t admit to any wrongdoing. ®