(Reuters) – A New York State regulator fined Carnival Corp. on Friday. $ 5 million for “significant” cybersecurity violations, following four security breaches from 2019 to 2021 that revealed significant amounts of sensitive customer data.
The New York Department of Financial Services said Carnival violated a state cyber security ordinance by failing to use multifactor authentication that would make it more difficult for perpetrators to access its internal network.
It also said that Carnival failed to report an intrusion and to conduct adequate cybersecurity awareness training for employees.
The regulator said the failures prompted Carnival to file incorrect cybersecurity certifications from 2018 to 2020.
At the time, Carnival was licensed to sell insurance in New York, which the Miami-based company no longer does.
Two of the intrusions involved ransomware attacks, the regulator said.
In a statement, Carnival said they cooperated with the regulator and did not admit any wrongdoing.
Carnival’s brands include Costa, Cunard, Holland America, Princess and Seabourn.
The company reached a separate $ 1.25 million deal on Thursday with the Attorney General of 45 U.S. states and Washington DC over one of the violations.
Earlier on Friday, Carnival said it expected occupancy levels to return to historic levels by 2023, and at higher prices, as more travelers return to the oceans despite the covid-19 pandemic.