Carnival Cruises will be paying $1.25 million to settle a lawsuit filed by 46 attorneys general related to a data breach in 2019
that compromised data from 180,000 employees and clients across the U.S., reports The Record
, a news site by cybersecurity firm Recorded Future.
Threat actors behind the attack were able to infiltrate Carnival employee email accounts to access customer data, including names, addresses, and Social Security numbers, but Carnival only notified the public regarding the breach 10 months after its discovery.
"When personal data is exposed to bad actors, its essential that consumers are notified as quickly as possible. Added delays increase the possibility of that personal data being used for nefarious purposes," said Pennsylvania Attorney General Josh Shapiro.
Apart from providing states $10,000 to $70,000, Carnival will also move to adopt a breach response plan and independent information security evaluations, as well as offer its employees an email training program.
"This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information," said Connecticut Attorney General William Tong.