Carnival Cruise Line Data Breach Nets New Jersey $25,000 in Lawsuit

Robert Walker

TRENTON – New Jersey will be receiving just $25,000 as part of a $1.25 million lawsuit against Carnival Cruise Line, according to Acting Attorney General Matthew J. Platkin. That settlement resolves a multistate investigation into a data breach that compromised the personal information of approximately 180,000 Carnival employees and customers nationwide.

“The multistate investigation determined that deficiencies in Carnival’s data security program contributed to the breach in violation of state consumer protection and personal information protection laws. The investigation also determined that Carnival did not provide adequate notice of the breach to consumers and regulators. New Jersey will receive approximately $25,097 from the settlement,’ Platkin said.

“The data security requirements of this settlement are as important as the dollars,” said Acting Attorney General Platkin. “Businesses that electronically store the sensitive personal information of their employees and customers not only have a duty to protect that data, but must also provide prompt breach notifications to consumers when that information is compromised. If businesses fail to do so, we will hold them accountable. As a result of the states’ investigation, Carnival must now tighten up its systems and practices in order to better protect consumer privacy going forward.”

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor had gained access to certain Carnival employee e-mail accounts. As a result, employee and customer names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers were compromised. A total of 3,100 New Jersey residents were impacted.


According to a press release issued today:

Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.

Unstructured data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging and increasing consumer risk because of delayed breach notification.

“As consumers turn more and more to online transactions and electronic payment methods, businesses have a greater responsibility than ever to protect their privacy by maintaining effective data security measures,” said Division of Consumer Affairs Acting Director Cari Fais. “That did not happen in this particular case, but the terms of the settlement are designed to ensure that it does happen going forward.”

Customers whose data was exposed or suffered damages will not receive compensation from this settlement as it represents just $8.33 per affected New Jersey resident.

Under the settlement announced today, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward.

Those include:

  • Implementation and maintenance of a breach response and notification plan;
  • Email security training requirements for employees, including dedicated phishing exercises;
  • Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
  • Undergoing an independent information security assessment.

You appear to be using an ad blocker

Shore News Network is a free website that does not use paywalls or charge for access to original, breaking news content. In order to provide this free service, we rely on advertisements. Please support our journalism by disabling your ad blocker for this website.