Idaho Joins $1.25 Million Settlement over 2019 Carnival Cruise Data Breach

(BOISE) – Attorney General Lawrence Wasden today announced Idaho’s participation in a $1.25 million multistate settlement with Florida-based Carnival Cruise Line. The settlement stems from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide.

Idaho will receive $13,088. Per Idaho law, the money will be deposited into the state’s Consumer Protection Fund.

In March 2020, Carnival publicly reported a data breach in which an unauthorized individual gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. The breach affected 956 Idaho residents.

Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in May 2019 – approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.

“Unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging. Delays in identifying and reporting such breaches increase consumer risk.

“National security breaches like this are occurring more frequently and have impacted hundreds of thousands of Idahoans,” Wasden said. “Idaho law requires an entity to investigate promptly a suspected security breach and to notify affected consumers if misuse of their private information has occurred or will occur. This notice requirement gives consumers the opportunity to better protect themselves from identity theft.”

The settlement includes 45 states and the District of Columbia. Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. Those include:

• Implementation and maintenance of a breach response and notification plan;
• Email security training requirements for employees, including dedicated phishing exercises;
• Multi-factor authentication for remote email access;
• Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
• Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
• Consistent with past data breach settlements, undergoing an independent information security assessment.