Skip links

Carnival Cruises torpedoed by US states, agrees to pay $6m after waves of cyberattacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver’s license, and passport numbers; and health and payment information of thousands of people in almost every American state.

It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn’t disclosed until 10 months later, in March 2020.

Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we’re told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It’s likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.

Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer’s work email account was compromised again to send out a phishing email; more sensitive information was exposed.

Late last week, New York’s Department of Financial Services (DFS) announced Carnival had agreed to pay $5 million to the state as a penalty for falling foul of NY’s Cybersecurity Regulation. According to the Dept, Carnival was slipshod in defending its computer systems and data, and in all “had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks.”

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health,” DFS Superintendent Adrienne Harris said in a statement. “It is critical that companies take appropriate action to protect consumers’ personal information.”

It’s also important that anyone with compromised data are notified as quickly as possible following a breach, according to Connecticut AG William Tong. A day before NY announced its punishment for Carnival, Connecticut and a bunch of other US states announced they had reached a $1.25m settlement with Carnival regarding the 2019 cyberattack.

“This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information,” Tong said in a statement. “Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”

Pennsylvania AG Josh Shapiro, who is running to become the state’s next governor, said that “added delays increase the possibility of that personal data being used for nefarious purposes.”

Across the 46 states, some of the plaintiffs launched a deeper investigation into Carnival’s email security practices as well as whether the company complied with network breach notification statutes in each of the states. The investigations were led by Pennsylvania, Connecticut, Florida, and Washington, and assisted by Alabama, Arizona, Arkansas, Ohio and North Carolina. The remaining states joined the case.

As part of the multi-state deal [PDF], Carnival agreed to a series of steps to improve the email security, including requiring training for employees, exercises focusing on phishing, and using multifactor authentication (MFA) for remote access to corporate email.

Other requirements involve passwords, including requiring the use of strong and complex passwords, rotating passwords, and using secure password storage systems. This is in addition to using enhanced behavior analytics tools to log and monitor possible security events on Carnival’s network, and using third-party security assessments.

The company also must implement and use a breach response and notification plan.

New York has been one of the most aggressive in the case. Its own investigation found that Carnival had violated the state’s computer security laws that went into effect in March 2017. Those violations included a lack of MFA, poor employee cybersecurity training, and failing to promptly report the first cybersecurity fiasco. All of that combined left the company’s systems and customer information vulnerable to cybercriminals between 2018 and 2020, the state agency said.

At the time of the security incidents, Carnival – which also owns Costa, Cunard, Holland America, Princess and Seabourn – was licensed to sell insurance in New York, which made it subject to DFS’ security regulations. As part of its settlement, Carnival gave up its insurance-selling business in New York.

The Register has reached out to Carnival for a response, though none was received before publication time. That said, the company told Reuters in a brief statement that it cooperated with New York officials and that data privacy and protection were important to the company. Carnival didn’t admit to any wrongdoing. ®