Press releases
22.06.2022
Connecticut Co-Leads $1.25 Million Multi-State Settlement Over 2019 Carnival Cruise Line Data Breach
Connecticut to receive $67,505
(Hartford, CT) – Attorney General William Tong announced today that Connecticut, along with 45 other attorneys general, has reached a $1.25 million multi-state settlement with Florida-based Carnival Cruise Line stemming from a violation of data breach in 2019 that included the personal information of approximately 180,000 Carnival Employees and customers nationwide. Connecticut will receive $67,505.86 from the settlement.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to several Carnival employee email accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information and a relatively small number of Social Security Numbers. More than 1,200 Connecticut residents were affected.
Breach notices sent to the attorneys general’s offices stated that Carnival first became aware of the suspicious email activity in late May 2019—nearly 10 months before Carnival reported the breach. A multi-state investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.
“Unstructured” data breaches like the Carnival breach involve personal information stored through email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk increases with delays.
“It is important that Connecticut residents are notified quickly when their information may be at risk due to a data breach” said Attorney General Tong. “This agreement sends the message that companies need to take stock of the information they hold and take reasonable steps to protect that information. Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or affected individuals of a breach.
After the Carnival breach, Connecticut shortened the time frame for companies to provide notice of a data breach under the state’s breach notification statute from 90 days to 60 days.
Under the settlement, Carnival has agreed to a number of provisions designed to strengthen its email security and breach response practices going forward.
They include:
– Implementation and maintenance of a plan for response and notification of violations;
– Email security training requirements for employees, including dedicated phishing exercises;
– Multi-factor authentication for remote email access;
-Password policies and procedures that require the use of strong, complex passwords, password rotation, and secure password storage;
-Maintaining enhanced behavioral analytics tools to record and monitor potential security events on the company’s network; AND
-Compliant with previous data breach agreements, subject to an independent information security assessment.
Connecticut co-led the multistate investigation with Florida and Washington, assisted by Alabama, Arizona, Arkansas, Ohio and North Carolina, and joined by Alaska, Colorado, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas , Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota , Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.
Assistant Attorneys General Aine DeMeo and John Neumon, and Michele Lucan, Chief of the Privacy Division, assisted the Attorney General in this matter.
- Tweet: @AGWilliamTong
- Facebook: CT Attorney General
Media contact:
Elizabeth Benton
[email protected]
Customer requirements:
860-808-5318
[email protected]
