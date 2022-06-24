NEW YORK, June 24 (Reuters) - A New York state regulator on
Friday fined cruise line operator Carnival Corp $5
million for "significant" cybersecurity violations, following
four security breaches from 2019 to 2021 that exposed
substantial amounts of sensitive customer data.
New York's Department of Financial Services said Carnival
violated a state cybersecurity regulation by failing to use
multi-factor authentication that would make it harder for
wrongdoers to access its internal network.
It also said Carnival failed to report one breach and
conduct adequate cybersecurity awareness training for employees.
The regulator said the failures caused Carnival to file
improper cybersecurity compliance certifications from 2018 to
2020.
Carnival was at the time licensed to sell insurance in New
York, which the Miami-based company no longer does. Two of the
breaches involved ransomware attacks, the regulator said.
In a statement, Carnival said it cooperated with the
regulator and admitted no wrongdoing, and that data privacy and
protection were "extremely important" to the company.
Carnival's brands also include Costa, Cunard, Holland
America, Princess and Seabourn. The company reached a separate
$1.25 million settlement on Thursday with the attorneys general
of 45 U.S. states and Washington, D.C. over one of the breaches.
Earlier on Friday, Carnival said it expected occupancy
levels to return to historical levels in 2023, and at higher
prices, as more travelers return to the seas despite the
COVID-19 pandemic.
Carnival shares rose as much as 10.8% to $10.69 in Friday
trading, but remained more than 62% below their level a year
earlier.
(Reporting by Jonathan Stempel in New York; Additional
reporting by Ananya Mariam Rajesh in Bengaluru; editing by
Jonathan Oatis and Richard Chang)