A 2019 data breach that compromised the personal information of about 180,000 Carnival Cruise Line employees and customers across the country has led to a $1.25 million multistate settlement.
Attorney General William Tong said Wednesday that Connecticut is among 45 states that settled with the Florida-based cruise line. The Nutmeg State’s share is $67,505.
Carnival publicly reported the data breach in March 2020 – about 10 months after it occurred, according to Tong’s office.
An intruder gained access to employee email accounts, including names, addresses, passport numbers, driver’s license numbers, payment card information, health information and Social Security numbers, Tong said. The breach affected more than 1,200 Connecticut residents.
“This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information,” Tong said. “Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”
The breach prompted multiple states to investigate the company’s email security practices and compliance with state breach notification statutes.
Connecticut recently shortened the time limit for companies to provide notice of a data breach from 90 days to 60 days. It’s among a handful of states stepping up efforts to protect the privacy of consumer data.
Under the settlement, Carnival has agreed to strengthen its email security and breach response practices. Those include:
- Implementation and maintenance of a breach response and notification plan;
- Email security training requirements for employees, including dedicated phishing exercises;
- Multi-factor authentication for remote email access;
- Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
- Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
- Undergoing an independent information security assessment.
