Security News > 2022 > June > Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive personal information on customers and employees was accessed in a string of cyber attacks.

Late last week, New York's Department of Financial Services announced Carnival had agreed to pay $5 million to the state as a penalty for falling foul of NY's Cybersecurity Regulation.

A day before NY announced its punishment for Carnival, Connecticut and a bunch of other US states announced they had reached a $1.25m settlement with Carnival regarding the 2019 cyber attack.

As part of the multi-state deal [PDF], Carnival agreed to a series of steps to improve its email security, including requiring training for employees, exercises focusing on phishing, and using multi-factor authentication for remote access to corporate email.

Its own investigation found that Carnival had violated the state's computer security laws that went into effect in March 2017.

The Register has reached out to Carnival for a response, though none was received before publication time.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/28/carnival-cybersecurity-fines/