For Immediate Release
June 22, 2022
Michael S. Garrity, Director of Communications
email@example.com | (603) 931-9375
Brandon H. Garod, Senior Assistant Attorney General
Chief, Consumer Protection and Antitrust Bureau
Brandon.H.Garod@doj.nh.gov | (603) 271-1217
Concord, NH – Attorney General John M. Formella announces today that New Hampshire, along with 45 other attorneys general, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide. New Hampshire will receive $10,907 from the settlement.
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver's license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. 520 New Hampshire residents were impacted.
Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019–approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival's email security practices and compliance with state breach notification statutes.
"Carnival should have immediately reported this breach. Institutions that store the personal information of their customers and employees have a responsibility to notify law enforcement and potential victims as soon as possible when hacks like this occur," said Attorney General Formella. "This case should serve as an example to corporations and company executives that quickly sounding the alarm to law enforcement is crucial when dealing with the aftermath of a data breach, as it is a best practice in preventing further loss of data and private information."
"Unstructured" data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays.
Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. Those include:
Connecticut, Florida and Washington co-led this multistate investigation, assisted by Alabama, Arizona, Arkansas, Ohio, and North Carolina, and joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.
New Hampshire Department of Justice
33 Capitol Street | Concord, NH | 03301