Carnival Cruise Pays $5M, Gives Up Insurance Licenses in New York Over Data Breach

New You can now listen to Insurance Journal articles!

New York’s financial services regulator has fined Carnival Corp. $5 million for violations of the state’s cybersecurity regulations that the state says caused four cyber breaches and the exposure of personal data belonging to its customers, including New York consumers. The company has also surrendered its travel insurance licenses, according to the consent order.

The Department of Financial Services said its investigation uncovered evidence that the Carnival companies had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks. These events involved the unauthorized access of the companies’ information systems. According to DFS, the companies violated the DFS cybersecurity regulations by failing to implement multi-factor authentication, failing to promptly report the first cybersecurity event, and failing to conduct adequate cybersecurity training for the companies’ personnel.

At the time of the incidents, the Carnival Companies were licensed insurance producers in New York state, sold various travel insurance products, and thus were subject to DFS’s cybersecurity regulation, according to the department. In connection with the settlement, the Carnival Companies surrendered the insurance producer licenses. As a result, the companies have ceased selling insurance in the state.

Carnival Corp. operates Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines.

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information,” said DFS Superintendent Adrienne A. Harris.

The DFS cybersecurity regulation became effective in March 2017.