Financial event company forfeits $5M in settlement for cyber violations against New York's financial regulatory body

Carnival Corporation, the world's largest cruise line operator, has been hit with a $5 million penalty by the New York State Department of Financial Services (DFS) for multiple cybersecurity violations between 2019 and 2021.

The violations, which include failures in multifactor authentication, prompt disclosure of cybersecurity incidents, and cybersecurity training for employees, came to light following a series of cyber attacks on the company. The first incident occurred in 2019 and involved phishing or brute force attacks on Carnival's email accounts.

Threat actors accessed 124 employee email accounts, primarily hosted on a Microsoft Office 365 platform, and sent out phishing emails to other employee accounts. In addition, the company reported ransomware attacks in August 2020 and January 2021, which exposed sensitive information of victims, including names, addresses, passport numbers, drivers' licenses, and in a smaller number of cases, social security numbers and credit card information.

The regulator found that Carnival did not provide adequate cybersecurity training to employees and that the company's Chief Information Security Officer (CISO) made timely, but improper certifications for the years 2018, 2019, and 2020. There is no publicly available information or records that specify which CISO Carnival Corporation appointed during these years, nor whether that CISO was involved in the cybersecurity violations identified by the DFS.

The company surrendered its license to sell insurance in New York as a result of the DFS investigation. However, Carnival cannot use insurance reimbursement to cover the cost of the DFS penalties.

In response to the cybersecurity incidents, Carnival brought in top executive-level talent to oversee the CIO function at a corporate level. The company also reached a separate $1.25 million settlement with 45 state and local attorneys general in the U.S. for allegedly failing to safeguard personal information of 180,000 customers and employees.

Under the settlement with multistate AGs, Carnival agreed to implement a breach response and notification plan, email security training, multifactor authentication for remote email access, and an independent information security assessment. The company has also stated that it has "strong oversight at the Board of Directors level" for cybersecurity.

New York state regulators have been cracking down on data protection and enforcement in recent years, with cybersecurity being a significant departmental priority. This penalty serves as a reminder to all corporations, particularly those handling sensitive personal information, to prioritise cybersecurity and comply with regulatory requirements.

Financial event company forfeits $5M in settlement for cyber violations against New York's financial regulatory body