News Department

NJ announces settlement with Carnival Cruise Line over 2019 data breach that compromised personal information from its employees, customers

Photo of Jay Edwards Jay EdwardsJune 22, 2022
1,196 2 minutes read

NEW JERSEY – Acting Attorney General Matthew J. Platkin announced Wednesday that New Jersey is party to an overall $1.25 million settlement with Florida-based Carnival Cruise Line that resolves a multistate investigation into a data breach that compromised the personal information of approximately 180,000 Carnival employees and customers nationwide.

The multistate investigation determined that deficiencies in Carnival’s data security program contributed to the breach in violation of state consumer protection and personal information protection laws. The investigation also determined that Carnival did not provide adequate notice of the breach to consumers and regulators. New Jersey will receive approximately $25,097 from the settlement.

Overall, Carnival will pay the participating states a total of $1.25 million under the settlement and implement a number of new requirements that will strengthen Carnival’s email security and data breach response practices going forward.

“The data security requirements of this settlement are as important as the dollars,” Platkin said. “Businesses that electronically store the sensitive personal information of their employees and customers not only have a duty to protect that data, but must also provide prompt breach notifications to consumers when that information is compromised. If businesses fail to do so, we will hold them accountable. As a result of the states’ investigation, Carnival must now tighten up its systems and practices in order to better protect consumer privacy going forward.”

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor had gained access to certain Carnival employee e-mail accounts. As a result, employee and customer names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers were compromised. A total of 3,100 New Jersey residents were impacted.

Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.

Unstructured data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging and increasing consumer risk because of delayed breach notification.

“As consumers turn more and more to online transactions and electronic payment methods, businesses have a greater responsibility than ever to protect their privacy by maintaining effective data security measures,” said Division of Consumer Affairs Acting Director Cari Fais. “That did not happen in this particular case, but the terms of the settlement are designed to ensure that it does happen going forward.”

Under the settlement announced today, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward.

Those include:

  • Implementation and maintenance of a breach response and notification plan
  • Email security training requirements for employees, including dedicated phishing exercises
  • Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network
  • Undergoing an independent information security assessment

In addition to New Jersey, the following states’ Attorneys General participated in today’s settlement: Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, North Carolina, Ohio, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Photo of Jay Edwards Jay EdwardsJune 22, 2022
1,196 2 minutes read
Photo of Jay Edwards

Jay Edwards

Born and raised in Northwest NJ, Jay has a degree in Communications and has had a life-long interest in local radio and various styles of music. Jay has held numerous jobs over the years such as stunt car driver, bartender, voice-over artist, traffic reporter (award winning), NY Yankee maintenance crewmember and peanut farm worker. His hobbies include mountain climbing, snowmobiling, cooking, performing stand-up comedy and he is an avid squirrel watcher. Jay has been a guest on America’s Morning Headquarters,program on The Weather Channel, and was interviewed by Sam Champion.

Related Articles

NJ Cannabis Regulatory Commission approves 7 dispensaries to sell recreational cannabis

April 12, 2022

Bill increasing funding for Code Blue Shelters clears committee

February 18, 2024

Gov. Murphy submits request to President Biden for FEMA Major Disaster Declaration

July 29, 2023

COVID-19 case count in Morris County

September 14, 2022
Back to top button