Carnival data breach 20218/11/2023 ![]() ![]() On January 7, 2021, Carnival reported their third cybersecurity event, another ransomware attack, sent via phishing email. 9 Exposed consumer information included names, addresses, dates of birth, passport numbers and in some cases employee social security numbers and private health information. On August 19, 2020, Carnival reported a second cybersecurity event, a ransomware attack that encrypted company information systems and exfiltrated files. Carnival disclosed the breach in March 2020, ten months after the May 2019 discovery. 8 At the time Carnival did not have an MFA system in place. 7 The attack exposed names, addresses and other identifying information such as passport and driver’s license numbers, as well as some social security numbers and credit card information. 6 An internal investigation revealed that between Apand July 29, 2019, hackers had gained access to 124 employee email accounts (likely using phishing emails or brute-forcing passwords) enabling the hackers to access the personal data for 180,000 Carnival employees and customers. On May 22, 2019, Carnival became aware of suspicious activity in the form of a service desk ticket indicating that a company email account was sending spam to other internal email accounts. ![]() Around the same time, a class action of 46 states settled with Carnival over the first of those breaches for $1.5 million. NYDFS leveled its $5 million penalty against Carnival for alleged violations of the NYDFS Cybersecurity Regulation stemming from four data breaches between 2019 to 2021. 5Ĭarnival CruiseMulti-State Class Action & NYDFS Settlements Within 60 days of completing the cybersecurity risk assessment, submitting the results to NYDFS and developing a detailed action plan (subject to NYDFS approval) to address identified risks.Determining criteria for periodic assessments of any third party service providers within the cybersecurity risk assessment.Identifying plans for revising controls in response to technological developments and evolving threats.Conducting a comprehensive cybersecurity risk assessment within 180 days.4Īs part of the settlement, EyeMed agreed to take specific actions to strengthen its cybersecurity program, including: ![]() NYDFS alleged that EyeMed violated NYDFS Cybersecurity Regulation by: failing to implement a multifactor authentication (MFA) system requiring users to present multiple credentials to log in, failing to limit internal access to the email mailbox the hacker breached by allowing nine employees to share login credentials and conducting inadequate assessments with third-party vendors that did not meet the requirements for a cybersecurity risk assessment. EyeMed began notifying the affected individuals on September 28, 2020, and reported the event to NYDFS on October 9, 2020. 2įrom Juntil July 1, 2020, the hacker gained access to a total of six years’ worth of emails and attachments containing consumer personal data. EyeMed immediately started an investigation, blocking the unauthorized access and retaining outside breach counsel. On July 1, 2020, EyeMed uncovered a phishing attack that gained access to a mailbox that nine employees shared access to, using the same username and password. In the most recent settlement, vision services health insurance company EyeMed settled with NYDFS for $4.5 million for allegedly violating the NYDFS Cybersecurity Regulation after a July 2020 email data breach that exposed the personal data of hundreds of thousands of customers. In an era of increasing scrutiny around cybersecurity practice, this assortment of settlements across companies in varying industries offers insight into how regulators view the application of core cyber protections, as well as their growing willingness to prescribe them. This year has seen some substantial new data breach settlements including a $500,000 Federal Trade Commission (FTC) fine against CafePress, a $1.25 million multi-state class action settlement and $5 million New York Department of Financial Services (NYDFS) fine against Carnival Corporation (“Carnival”) 1 and a $4.5 million NYDFS fine against EyeMed Vision Care LLC (“EyeMed”). ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |