Carnival Cruise Lines will have to pay more than $6.25 million to settle two lawsuits brought by 46 states in the U.S. after a series of cyberattacks allowed hackers to access private information about customers and workers.

Cyber Attack on Carnival Cruise

According to The Register, In 2020, the company disclosed that hackers had not only encrypted some of its data but had also downloaded thousands of people's names and addresses, Social Security numbers, driver's license and passport numbers, as well as their health and financial information, in almost every state in the U.S.

Compliance Week, citing the consent order agreed to with Carnival Corporation and its subsidaries in April 2020, the company believed that this first security breach happened as a result of a phishing email or password spray attack in 2019.

Between August 2020 and March 2021, there were three more breaches, two of which used ransomware and the other one involved phishing.

What Does DFS Say About These Cybersecurity Failures

The company broke the cybersecurity rule set forth by the New York Department of Financial Services (DFS) by failing to report the first incident for 10 months, adding multi-factor authentication to its internal email policy, and properly educating staff members about cybersecurity best practices, as per Compliance Week.

The company's cybersecurity compliance certifications for the calendar years 2018 through 2020, according to the department, were improper as a result of these cybersecurity failures.

Read More: The Best Cyber-Security Company

Carnival Cruise Will Pay $5 Million

The Register mentioned that Carnival has agreed to pay the state $5 million as a fine for violating New York's cybersecurity regulations, according to a recent DFS statement. Carnival allegedly failed to adequately protect its computer systems and data, resulting in four cybersecurity incidents between 2019 and 2021, including two ransomware attacks.

According to William Tong, the attorney general of Connecticut, it's critical that anybody whose data has been exposed is alerted as soon as possible after a breach. 

"This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information," Tong said in a statement. 

Meanwhile, several U.S. states, including Connecticut, announced they had reached a $1.25 million settlement with Carnival for the 2019 cyberattack a day before New York revealed its sanction for Carnival.

Some of the plaintiffs began a more thorough investigation into Carnival's email security procedures and whether the company followed state laws requiring network breach notification in each of the 46 states. Alabama, Arizona, Arkansas, Ohio, and North Carolina provided support for the investigations, which were spearheaded by Pennsylvania, Connecticut, Florida, and Washington. The case was joined by the other states.

Carnival Cruise's Next Steps After the Cyber Attacks

Carnival committed to a number of measures to enhance email security as part of the multi-state deal, including training requirements for employees, phishing-focused exercises, and the use of multifactor authentication (MFA) for remote access to corporate email. cybera

Passwords are also subject to additional constraints, such as the need to employ secure password storage systems, strong, complex passwords, and password rotating. Along with implementing third-party security evaluations, advanced behavior analytics tools are also used to log and watch for potential security incidents on the Carnival network, as per The Register.

Related Article: 7 Underlying Cyber Security Risks to Stay Away From