Commonwealth of Virginia
Office of the Attorney General
Jason S. Miyares
202 North 9th Street
Richmond, Virginia 23219
Virginia Relay Service
For media inquiries only, contact:
Attorney General Miyares Announces $1.25 Million Multistate Settlement Over 2019 Carnival Cruise Line Data Breach
~Personal information of 3,091 Virginians was impacted by the breach~
RICHMOND, VA – Attorney General Jason Miyares today announced that his office, along with 45 other attorneys general, has obtained a $1.25 million multistate settlement with Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers. Over 3,000 Virginia residents were impacted by this breach. The Commonwealth's share of the settlement is $25,048.05.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts and personal information. Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach.
"It is imperative that businesses that collect or maintain sensitive personal information take every precaution to keep that information secure,” said Attorney General Miyares. "This matter also highlights the importance of promptly notifying the relevant government agencies and consumers when personal information is compromised, and I am pleased that we were able to reach a fair and reasonable settlement that addresses the conduct at issue.”
Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. While there is no consumer restitution under this particular settlement, the settlement contains important injunctive provisions aimed to curb lax information security practices that led to the breach such as:
- Implementation and maintenance of a breach response and notification plan;
- Email security training requirements for employees, including dedicated phishing exercises;
- Multi-factor authentication for remote email access;
- Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
- Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company's network; and
- Consistent with past data breach settlements, undergoing an independent information security assessment.
The settlement, in the form of an Assurance of Voluntary Compliance, will be filed for approval with the Henrico County Circuit Court.