DFS SUPERINTENDENT HARRIS ANNOUNCES $5 MILLION PENALTY ON CRUISE COMPANY CARNIVAL CORPORATION AND ITS SUBSIDIARIES FOR SIGNIFICANT CYBERSECURITY VIOLATIONS
The world’s largest cruise operator Carnival detected a data hijacking cyberattack, ransomware, which could have accessed unauthorized personal data of customers and employees. The computer attack encrypted part of the information technology systems and also downloaded some company data files, according to Carnival.
Superintendent of the Department of Financial Services, Adrienne A. Harris, announced that Carnival Corporation d/b/a Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (collectively, the “Carnival Companies”) will pay a $5 million penalty for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including New York consumers.
The Department’s investigation uncovered evidence that the Carnival Companies had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks. These Cybersecurity Events involved the unauthorized access of the companies’ information systems, leading to the exposure of customers’ sensitive, personal data. The Department’s investigation uncovered, among other things, that the Carnival Companies violated the DFS Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”), failing to promptly report the first Cybersecurity Event to the Department as required by the Regulation, and failing to conduct adequate cybersecurity training for their personnel.
DFS Investigation Uncovers Carnival Corporation and its Subsidiaries Failed to Implement Basic Cybersecurity Protections, Falling Victim to Breaches that Exposed Customers’ Private Data. However, the company is working with cybersecurity firms to respond to this threat, defend its technological systems and remedy what happened.
What is the ransomware?
6 tips to prevent a ransomware attack
Cybersecurity measures and common tasks can help minimize the risks of a ransomware attack:
- Install cybersecurity software on all your devices and don’t let it expire.
- Delete suspicious emails and text messages that claim to be from an organization — such as your bank, credit card company, favorite shopping site, an internet service provider, the IRS or Microsoft — instead of clicking on a link that could take you to an authentic-looking but phony site asking you to input personal or financial information.
- Never click on email attachments that you’re not expecting.
- Keep apps and operating systems fully updated, allowing them to automatically update when possible. Companies regularly patch their software after vulnerabilities have been discovered and fixed.
- Back up your information. Consider using an online cloud service like Dropbox, Google Drive, iCloud or OneDrive. Backups protect your files from all sorts of problems in addition to ransomware attacks, including computer virus infections, fires, floods, power surges or theft.
- Use Multi-Factor Authentication (“MFA”) .
On the other hand, companies often cannot detect a targeted cyberattack on their own. They may remain under the illusion of security for years on end, considering the likelihood of cyber risk actuation to be minimal. The situation is exacerbated when such companies have blind faith in the reliability of security automation tools, and do not put infrastructure robustness to the test. Unfortunately, security assessments prove that attackers can easily gain access to such systems.
Don’t think you’re in danger because you’re “too small” and not a big company. Don’t let some lowlife thief operating outside the law in another country get away with taking that from you. And certainly don’t “hope” your IT guy has you covered. Even if you have a trusted IT person or company who put your current network in place, it never hurts to get a third party to validate nothing was overlooked. We have no one to protect and no reason to conceal or gloss over anything we find. If you want the straight truth, we’ll report it to you. Fill out the form and learn more about what we can do for you.