Idaho settles over 2019 Carnival Cruise data breach
The Gem State will receive just over $13,000
BOISE, Idaho (KMVT/KSVT) — The Idaho Attorney General’s Office announced a million-dollar settlement with cruise company Carnival Cruise over a 2019 data breach.
The settlement totals $1.25 million.
The breach involved the leaking of personal information of approximately 180,000 Carnival employees and customers nationwide.
Idaho will receive $13,088 as part of the settlement. As per Idaho law, the funds will go towards the Consumer Protection Fund.
In 2020, Carnival Cruise reported a data breach involving names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers, according to the Idaho Attorney General’s Office.
956 Idaho residents were affected by the data breach. The Idaho Attorney General says the company was aware of suspicious email activity in May 2019, around 10 months before they reported the breach.
“National security breaches like this are occurring more frequently and have impacted hundreds of thousands of Idahoans,” Idaho Attorney General Lawrence Wasden said.
“Idaho law requires an entity to investigate promptly a suspected security breach and to notify affected consumers if misuse of their private information has occurred or will occur. This notice requirement gives consumers the opportunity to better protect themselves from identity theft,” he continued.
45 states and the District of Columbia were involved in the suit. Carnival Cruises has agreed to the following set of provisions going forward:
- Implementation and maintenance of a breach response and notification plan;
- Email security training requirements for employees, including dedicated phishing exercises;
- Multi-factor authentication for remote email access;
- Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
- Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
- Consistent with past data breach settlements, undergoing an independent information security assessment.
Copyright 2022 KMVT/KSVT. All rights reserved.