Wyoming Attorney General Bridget Hill announced Wednesday that Wyoming, along with 45 other attorneys general, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide. Sheridan Media’s Ron Richter has the details.
Cruise Line Settlement
The State of Wyoming will receive $10,000 from the settlement. According to the Wyoming Office of the Attorney General Consumer Protection Unit, in March 2020, Carnival Cruise Line reported a data breach in which an unauthorized actor gained access to certain Carnival employee email accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. 166 Wyoming residents were impacted. Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.
“Unstructured” data breaches like the Carnival breach, involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays. Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward.
Last modified: June 23, 2022