South Carolina joins multistate settlement in Carnival Cruise Line data breach

FILE - The logo for Carnival Cruise Line is shown in this image.
FILE - The logo for Carnival Cruise Line is shown in this image.(Source: Carnival Cruise Line via MGN)
Published: Jun. 22, 2022 at 12:19 PM EDT|Updated: Jun. 22, 2022 at 3:25 PM EDT
Email This Link
Share on Pinterest
Share on LinkedIn

COLUMBIA, S.C. (WIS) - South Carolina joined 45 other states in a settlement against Carnival Cruise Line in relation to a 2019 data breach.

The Florida based company agreed to pay $1.25 million in the settlement. South Carolina will receive $20,500.21 from the action.

In March of 2020 the company reported an unauthorized access to employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information and a number of Social Security numbers. The breach impacted 2,259 South Carolinians.

In total, roughly 180,000 employees and customers of the company had their information accessed.

Carnival initially became aware of the suspicious email activity in late May of 2019. South Carolina Attorney General Alan Wilson said investigation revealed the company waited approximately 10 months before reporting the breach.

As part of the settlement the company has agreed to strengthen their digital security. These include:

  • Implementing a plan for future breaches
  • Email security training for employees
  • Multi-factor authentication for remote email access
  • Stronger password policies and rotations for their company
  • Behavior analytics and enhanced monitoring for the company’s network
  • Independent information security assessment

The breach is classified as “unstructured”, meaning it involved personal information stored on email on other disorganized platforms. This makes it difficult for businesses to clearly see the data, making risks to customers higher and breaches more difficult to track.

Wilson said, “What happened in this case is a reminder that it could happen to any other business, so it’s important for businesses to take preventive measures to protect the private information of their customers.”

He continued, “They also need to follow regulations about notifying consumers promptly when there is a breach of private information.”

Copyright 2022 WIS. All rights reserved.

Notice a spelling or grammar error in this article? Click or tap here to report it. Please include the article’s headline.