Carnival Cruises, the world’s largest travel leisure firm which operates over 100 ships for millions of vacationing customers, has been fined a total of $6.25 million following a series of security mishaps.
Between April and July 2019, Carnival suffered a data breach that saw unauthorised parties gain access to information about 180,000 employees and customers.
As The Record reports, the hackers were able to break into employees’ email accounts, which allowed them to send convincing-looking phishing emails and gave them access to an alarming amount of sensitive data.
Details exposed included guests’ names, addresses, social security numbers, passport or driving license details, credit card and financial account information, and health-related information.
The company did not notice suspicious activity on its network until late May 2019 (the breach continued, by Carnival’s own admission, until July 23 2019), and the data breach only made public in March 2020 – ten months later.
An investigation determined that employees’ email accounts were not hardened with multi-factor authentication.
Clearly, that would have been bad in itself, but some months later Carnival discovered that it had fallen foul of hackers again.
On August 15 2020, Carnival detected that it had suffered a ransomware attack that saw cybercriminals encrypt some of the data on its network, and once again exfiltrate sensitive personal information about customers and employees.
That’s clearly not the kind of news anyone wants to hear from their employer or the company that’s taking them on vacation.
To its credit, on this occasion, the cruise ship company went public about the attack within just a couple of days and took steps to contain and remediate the security breach with the help of external experts.
At the time, in a regulatory filing, the corporation warned that the unauthorised data access might lead to claims from guests, employees, shareholders, and others.
That warning has now clearly come true.
As The Register reports, Carnival has agreed to pay penalties totaling $6.25 million for its failure to properly secure data.
Carnival has committed to providing better cybersecurity training for its employees, putting better password security practices in place, improving its email defences, and enabling multi-factor authentication for those accessing their corporate email remotely.