“Idaho law requires an entity to investigate promptly a suspected security breach and to notify affected consumers if misuse of their private information has occurred or will occur. “National security breaches like this are occurring more frequently and have impacted hundreds of thousands of Idahoans,” Wasden said. Delays in identifying and reporting such breaches increase consumer risk. Businesses lack visibility into this data, making breach notification more challenging. “Unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes. The breach affected 956 Idaho residents.īreach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in May 2019 – approximately 10 months before Carnival reported the breach. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. In March 2020, Carnival publicly reported a data breach in which an unauthorized individual gained access to certain Carnival employee e-mail accounts. Per Idaho law, the money will be deposited into the state’s Consumer Protection Fund. The settlement stems from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide. (BOISE) – Attorney General Lawrence Wasden today announced Idaho’s participation in a $1.25 million multistate settlement with Florida-based Carnival Cruise Line. In addition to the monetary penalty of $5 million, NYDFS also accepted Carnival’s surrender of its insurance producer license thus, Carnival has ceased selling insurance in New York.Home Newsroom Idaho Joins $1.25 Million Settlement over 2019 Carnival Cruise Data Breach These incidents led to the exposure of customers’ names, addresses, dates of birth and passport numbers, as well as employees’ names, addresses, phone numbers, Social Security numbers, private health information and credit card numbers.Īlthough Carnival had certified compliance with the Cybersecurity Regulation at the time of the incidents, NYDFS found that Carnival’s attestation of compliance was improper. Although the first attack resulted in exposing certain data such as names, addresses and government identification information of consumers and employees, Carnival failed to (1) report the incident to the NYDFS for 10 months, (2) conduct adequate cybersecurity training for its personnel, and (3) implement multi-factor authentication within its internal email policy.īetween August 2020 and March 2021, Carnival reported three additional incidents, including two ransomware attacks and a phishing email where a threat actor deployed malware, accessed and encrypted certain internal information systems, and exfiltrated certain data files. The first cyber attack took place through a phishing email or password spray attack where unauthorized third parties gained access to 124 employee accounts and used that access to send a series of phishing emails. NYDFS also found that Carnival had failed to implement basic protocols to prevent data breaches. Since Carnival was licensed by the Department to sell insurance in NY State, it was treated as a covered entity under the Cybersecurity Regulation. In its consent order, the Department noted that the cybersecurity events had caused the exposure of a substantial amount of sensitive personal data belonging to Carnival’s customers, including those residing in New York. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 20, including two ransomware events. On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp.
0 Comments
Leave a Reply. |