North Carolina will receive $42,830 from a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers, including 3,139 North Carolinians.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts.
The breach included names, addresses, passport numbers, driver’s license numbers, payment-card information, health information, and a relatively small number of Social Security numbers.
In its breach notification, Carnival stated that it first became aware of suspicious email activity in late May 2019, approximately 10 months before it reported the breach. In their investigation, the attorneys general focused on Carnival’s email security practices and compliance with state breach notification statutes.
Carnival has agreed to strengthen its email security and breach response practices going forward, including by implementing and maintaining a breach response and notification plan, monitoring potential security events, putting in place employee email security training, multi-factor authentication for remote email access, and stronger password policies, and undergoing an independent information security assessment.