image description

$1.25 Million Multistate Settlement with Carnival Cruise Line Over 2019 Data Breach announced

June 22nd, 2022 by WCBC Radio

Maryland Attorney General Brian E. Frosh today announced today that Maryland, along with 45 other states, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide.


In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee email accounts.  The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and, in a few instances, Social Security Numbers.


Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May 2019 – approximately 10 months before Carnival reported the breach.  A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes. 


“Consumers must be notified of a data breach involving their personal information as soon as possible so that they can take the appropriate steps to protect themselves,”  said Attorney General Frosh.  “Businesses must quickly identify the personal information they have stockpiled and promptly notify consumers if a breach occurs.  Delayed notification of data breaches increases the risk to consumers.”