CCL-Carnival Cruise Line will pay USD 6+ million to end two separate lawsuits filed by 46x US states after sensitive, personal information on employees and clients was accessed in a string of cyberattacks.
Two years ago, as the COVID crisis was taking hold, the Miami-based company revealed intruders had not only encrypted some of its data but also downloaded a collection of names/addresses, driver's licenses, Social Security info, passport numbers, payment, and health information of thousands of people in almost every American state.
CCL became aware of the first suspicious activity back in May 2019. This apparently was not disclosed until ten months later, in March 2020.
In 2019, the security operations team spotted an internal mail account sending spam to other addresses. Miscreants had hijacked a total of 124 employee Microsoft Office 365 mail accounts and were using them to send phishing emails to harvest more credentials. This gave the intruders access to personal data on ~180,000 Carnival employees and clients.
In August 2020, CCL said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, CCL was again infected again with malware, and sensitive information was downloaded. In March 2021, a staffer's work email account was compromised to send out a phishing email. Sensitive information was again exposed.
Last week, New York's DFS (Department of Financial Services) announced that Carnival had agreed to pay US$5 million to the state as a penalty for falling foul of the Cybersecurity Regulation. Carnival was slipshod in defending its computer systems/data, and in all "had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks."
In a statement, DFS Superintendent Adrienne Harris said that a data breach exposing personal data allowed bad actors to, among other things, "commit identity theft, which can have significant repercussions on an individual's financial health,"
"It is critical that companies take appropriate action to protect consumers' personal information."
Anyone with compromised data is notified as quickly as possible following a breach, Connecticut AG William Tong said. A day before NY announced Carnival's punishment, Connecticut and a bunch of other states announced they had reached a US$1.25 million settlement with the company regarding the 2019 cyberattack.