A New York state regulator has fined cruise line operator Carnival $5 million for cyber security violations, following four security breaches from 2019 to 2021 that exposed customer data.
New York’s Department of Financial Services said Carnival has violated a state cyber security regulation by failing to use multi-factor authentication that would make it harder for wrongdoers to access its internal network.
It said Carnival failed to report one breach and conduct adequate cybersecurity awareness training for employees.
The regulator said the failures caused Carnival to file improper cybersecurity compliance certifications from 2018 to 2020.
Carnival was at the time licensed to sell insurance in New York, which the Miami-based company no longer does. Two of the breaches involved ransomware attacks, the regulator said.
Carnival in a statement said it cooperated with the regulator and admitted no wrongdoing, and that data privacy and protection were extremely important to the company.
Carnival does not reveal its budget for information technology deployment or cyber security partners.
Carnival’s brands also include Costa, Cunard, Holland America, Princess and Seabourn. The company also reached a separate $1.25 million settlement on Thursday with the attorneys general of 45 U.S. states and Washington, D.C. over one of the breaches. At this time, it is not clear whether Carnival will face more penalty due to the cyber security incident.