RICHMOND, Va. (WRIC) — A multistate settlement has been filed for a 2019 data breach from Carnival Cruise Line that compromised the personal information of thousands of Virginians.
Virginia Attorney General Jason Miyares announced on Wednesday that his office, along with 45 other attorneys general, has obtained a $1.25 million multistate settlement with Carnival Cruise Line stemming from a 2019 data breach. The Commonwealth’s share of the settlement is just over $25,000.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee email accounts and personal information. According to breach notifications sent to attorneys general offices, Carnival first became aware of suspicious email activity in late May 2019 — approximately 10 months before Carnival reported the breach, which involved the personal information of around 180,000 Carnival employees and customers. More than 3,000 Virginia residents were impacted.
“It is imperative that businesses that collect or maintain sensitive personal information take every precaution to keep that information secure,” Attorney General Miyares said. “This matter also highlights the importance of promptly notifying the relevant government agencies and consumers when personal information is compromised, and I am pleased that we were able to reach a fair and reasonable settlement that addresses the conduct at issue.”
Under the settlement, Carnival would agree to a series of provisions designed to strengthen its email security and breach response practices going forward. These provisions include a breach response and notification plan, email security training for employees, multifactor authentication for remote email access, the use of stronger and complex passwords, as well as undergoing an independent information security assessment.
The settlement, in the form of an Assurance of Voluntary Compliance, is pending approval with the Henrico County Circuit Court.