NYDFS $5 MILLION CYBERSECURITY ENFORCEMENT ACTION AGAINST CARNIVAL CRUISE LINES

More cybersecurity enforcement from NYDFS, this time against Carnival Cruise Lines.  Enforcement takeaways:

  • Carnival Cruise Lines paid $5 million and surrendered its license to be an insurance broker in New York.  It had sold life, accident and health insurance to cruise customers.
  • NYDFS alleged “significant” violations, including:
    • Failure to implement multi-factor authentication;
    • Failure to timely report a Cybersecurity Event;
    • Inadequate training;
    • False certification of compliance with Part 500.
  •  Four Cybersecurity Events occurred between 2019 and 2021, including involving phishing incidents and ransomeware attacks.
  •  Sensitive Non-Public Information (NPI) of customers was exfiltrated.

The consent order may be found here:  https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202206241

 

Leave a Comment