A New York state regulator on Friday fined cruise line operator Carnival Corp $5 million for "significant" cybersecurity violations, following four security breaches from 2019 to 2021 that exposed substantial amounts of sensitive customer data.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
New York's Department of Financial Services said Carnival violated a state cybersecurity regulation by failing to use multi-factor authentication that would make it harder for wrongdoers to access its internal network.
It also said Carnival failed to report one breach and conduct adequate cybersecurity awareness training for employees.
The regulator said the failures caused Carnival to file improper cybersecurity compliance certifications from 2018 to 2020.
Carnival was at the time licensed to sell insurance in New York, which the Miami-based company no longer does. Two of the breaches involved ransomware attacks, the regulator said.
In a statement, Carnival said it cooperated with the regulator and admitted no wrongdoing, and that data privacy and protection were "extremely important" to the company.
Carnival's brands also include Costa, Cunard, Holland America, Princess and Seabourn. The company reached a separate $1.25 million settlement on Thursday with the attorneys general of 45 U.S. states and Washington, D.C. over one of the breaches.
Earlier on Friday, Carnival said it expected occupancy levels to return to historical levels in 2023, and at higher prices, as more travellers return to the seas despite the COVID-19 pandemic.
Carnival shares rose as much as 10.8% to $10.69 in Friday trading, but remained more than 62% below their level a year earlier.