Oregon Joins $1.25 Million Settlement over Carnival Cruise Data Breach

June 22, 2022
• Posted in ,

Attorney General Rosenblum and 45 other attorneys general today announced a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach. The data breach involved the personal information of approximately 180,000 Carnival employees and customers, including 2,311 Oregon residents. Oregon’s share of the settlement is $20,784.45.

In March 2020, Carnival reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before the company reported the breach.

“Unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays.

“These days, it’s easy to feel like your personal information is out of your control. That’s because, for the most part, it is! In the case of Carnival, very important data, like passport numbers, were breached because Carnival did not have proper safeguards in place,” said Attorney General Rosenblum. “We will continue to go after companies, like Carnival, that mishandle personal data and then fail to promptly inform consumers about a breach.”

Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. Those include:

  • Implementation and maintenance of a breach response and notification plan;
  • Email security training requirements for employees, including dedicated phishing exercises;
  • Multi-factor authentication for remote email access;
  • Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
  • Consistent with past data breach settlements, undergoing an independent information security assessment.

In addition to Oregon, the settlement includes Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Washington, Wisconsin, and Wyoming.

In 2015, Attorney General Rosenblum spearheaded updates to Oregon’s data breach laws, giving the Oregon Department of Justice authority to enforce state penalties against violators. For more information on reporting a data breach to the Oregon Department of Justice visit: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/