Carnival fined US$5m in NYC for failing to disclose breach

Carnival cruises fined US$5 million (AU$7.2 million) by New York’s Department of Financial Services for “significant cyber security violations”, after four security breaches from 2019 to 2021 that exposed a sizeable amount of sensitive customer data.

The cruise line operator had violated a state cyber security regulation by failing to use multi-factor authentication (MFA) that would make it harder for malicious cyber actors to access its internal network, according to New York's Department of Financial Services.

The regulator added that Carnival failed to report one breach and neglected to conduct adequate cyber security awareness training for its employees.

The failures caused Carnival to file improper cyber security compliance certifications from 2018 to 2020.

The regulator disclosed two of the Carnival breaches involved ransomware attacks.

In a statement, Carnival admitted no wrongdoing, had cooperated with the regulator and that data privacy and protection were "extremely important" to the company.

According to Reuters, the company reached a separate US$1.25 million settlement with the attorneys general of 45 US states and Washington, DC over one of the breaches.

Carnival stated it is expecting occupancy to return to historical levels in 2023, and at higher prices, as more travellers return to the seas despite the COVID-19 pandemic.

Carnival's brands also include Costa, Cunard, Holland America, Princess and Seabourn.