Considered Negligent, Carnival Corp Fines IDR 74.1 Billion For Cybersecurity Breach

Shipping company Carnoval Corp has been fined for negligence in cybersecurity. (photo: @CarnivalCruise)

JAKARTA - A New York state regulator on Friday, June 24, fined shipping line operator Carnival Corp. $5 million for "significant" cybersecurity breaches. The fine comes after four security breaches from 2019 to 2021 that exposed large amounts of sensitive customer data.

The New York Department of Financial Services said Carnival violated state cybersecurity regulations by failing to use multi-factor authentication that would make it difficult for wrongdoers to access its internal network.

He also said Carnival failed to report a violation and conduct adequate cybersecurity awareness training for employees.

The regulator said the failure led Carnival to apply for an improper cybersecurity compliance certification from 2018 to 2020.

Carnival was then licensed to sell insurance in New York, which the Miami-based company no longer does. Two of the breaches involved ransomware attacks, regulators said.

In a statement cited by Reuters, Carnival said it was cooperating with regulators and acknowledged no wrongdoing, and that privacy and data protection were "very important" to the company.

Carnival's brands also include Costa, Cunard, Holland America, Princess and Seabourn. The company reached a separate $1.25 million settlement last Thursday with attorneys general from 45 U.S. states and Washington, DC over one of the offenses.

Earlier on Friday, Carnival said it expects occupancy rates to return to historical levels in 2023, and at higher prices, as more travelers return to the sea despite the COVID-19 pandemic.