COLUMBUS — Ohio Attorney General Dave Yost and 45 other attorneys general announced Wednesday a $1.25 million settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach.
The settlement resolves a multistate investigation of the data breach, which involved the personal information of about 180,000 Carnival employees and customers, including 4,000 Ohioans. Ohio will collect more than $48,000 from the settlement.
“Carnival failed to promptly inform its customers and employees of the data breach, and that’s not OK,” Yost said. “Let’s hope this settlement persuades the company to run a tighter ship from now on.”
Carnival publicly announced the breach in March 2020, explaining that a hacker had gained access to certain employee email accounts. The breach notification stated that Carnival had first become aware of suspicious email activity 10 months earlier, in late May 2019.
A multistate investigation ensued, focusing on Carnival’s email security and compliance with state breach notification statutes.
Carnival has agreed to the following provisions to strengthen its email security and breach response:
Implementing and maintaining a breach response and notification plan.
Requiring email security training for employees, including dedicated phishing exercises.
Establishing multifactor authentication for remote email access.
Creating password policies and procedures requiring the use of strong, complex passwords, password rotation and secure password storage.
Maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network.
Undergoing an independent information security assessment, consistent with previous data breach settlements.
Connecticut, Florida and Washington led the investigation, assisted by Ohio, Alabama, Arizona, Arkansas and North Carolina. They were joined by 37 other states and the District of Columbia.