AG Carr: Georgia Joins Multistate Settlement Over Carnival Data Breach
Thursday, June 23rd, 2022
Attorney General Chris Carr today announced that the State of Georgia, along with 45 other attorneys general, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide. Georgia is positioned to receive $29,399.10 from the settlement.
“With bad actors consistently looking for new ways to steal personally identifiable information, it is critical that businesses institute strict protocols to help ensure customer data is kept safe,” said Carr. “This includes properly alerting consumers of a data breach so they can take immediate action to guard against identity theft. Cybersecurity remains one of our top priorities, and we will continue working with our public and private sector partners to protect the personal and financial information of our fellow Georgians.”
In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information and a relatively small number of Social Security Numbers. In total, 3,887 Georgians were impacted.
Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019 – approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focused specifically on Carnival’s email security practices and compliance with state breach notification statutes.
“Unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification all the more challenging – and consumer risk rises with delays.