Privacy & Information Security Law Blog

On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.  

In its consent order, the Department noted that the cybersecurity events had caused the exposure of a substantial amount of sensitive personal data belonging to Carnival’s customers, including those residing in New York. Since Carnival was licensed by the Department to sell insurance in NY State, it was treated as a covered entity under the Cybersecurity Regulation. NYDFS also found that Carnival had failed to implement basic protocols to prevent data breaches. The first cyber attack took place through a phishing email or password spray attack where unauthorized third parties gained access to 124 employee accounts and used that access to send a series of phishing emails. Although the first attack resulted in exposing certain data such as names, addresses and government identification information of consumers and employees, Carnival failed to (1) report the incident to the NYDFS for 10 months, (2) conduct adequate cybersecurity training for its personnel, and (3) implement multi-factor authentication within its internal email policy.

Between August 2020 and March 2021, Carnival reported three additional incidents, including two ransomware attacks and a phishing email where a threat actor deployed malware, accessed and encrypted certain internal information systems, and exfiltrated certain data files. These incidents led to the exposure of customers’ names, addresses, dates of birth and passport numbers, as well as employees’ names, addresses, phone numbers, Social Security numbers, private health information and credit card numbers.

Although Carnival had certified compliance with the Cybersecurity Regulation at the time of the incidents, NYDFS found that Carnival’s attestation of compliance was improper. In addition to the monetary penalty of $5 million, NYDFS also accepted Carnival’s surrender of its insurance producer license; thus, Carnival has ceased selling insurance in New York.