RISKS

What Happened

The New York State Department of Financial Services imposed a $5 million penalty on Carnival Corp. for multiple violations committed in connection with four cybersecurity incidents — including two ransomware attacks — between 2019 and 2021.

The regulator found the cruise line failed to implement multifactor authentication (MFA) and took 10 months to report the first of four data incidents from 2019 to regulators, as well as failed to conduct adequate cybersecurity training for employees.

Carnival was hit in a series of phishing or brute force attacks, which the company’s security operations team first suspected in May 2019. The compromised email accounts were used to send out spam to other internal accounts, according to a consent order between the company and regulator.

Threat actors accessed 124 employee email accounts hosted primarily on a Microsoft Office 365 platform and sent out phishing emails to other employee accounts, the order said. Carnival didn’t report the incident to New York regulators until April 2020, even though the agency’s cybersecurity regulations on banks and insurers were imposed in 2017. Carnival was registered to sell life, health and accident insurance products in New York and the state financial regulator oversaw banking and insurance providers operating in the state.

The attacks exposed names, addresses, passport numbers, driver’s licenses and in a smaller number of cases, the social security numbers and credit card information of victims.

Carnival later reported ransomware attacks in August 2020 and January 2021. The company discovered on Christmas Day 2020 a malware attack that resulted the encryption of several Costa Cruises computer systems, according to the consent order.

A fourth incident, linked to a phishing attack in March 2021, hit Carnival, Holland and Princess cruise lines.

Due to the four incidents within three years, the regulator found Carnival did not provide adequate cybersecurity training to employees. The regulator found that Carnival’s CISO made timely, but improper certifications for the years 2018, 2019 and 2020.

In addition, Carnival reached a separate $1.25 million settlement with 45 state and local attorneys general in the U.S. for allegedly failing to safeguard the personal information of 180,000 customers and employees. That’s a total of $6.25 million for its cybersecurity failures!

Why is this important?

The failure to implement multifactor authentication and the failure to properly provide cybersecurity training for employees led to multiple cybersecurity incidents and a $1.25 million settlement. The failure to adhere to their duty for prompt reporting of the breach was a key factor in Carnival receiving the $5 million fine. Not to mention the reputational damage that Carnival’s repeated cybersecurity failures may have cost them.

What does this mean to me?

Failing to exercise duty of care in protecting the sensitive data your organization possesses can be costly. According to Microsoft, your accounts are 99.9% less likely to be compromised when using MFA. Training of employees on cybersecurity best practices is also vitally important to taking the steps to protect your data. As human error accounts for as much as 95% of security breaches experienced today. These are easy steps to take to protect your organization’s data and avoid the fate that Carnival experienced.


APPROACHES

Helpful Controls

Commonality of attack

High

Article on story

Carnival to pay $5M for cyber violations to NY financial regulator