Colorado Attorney General Phil Weiser announced on June 22 that Carnival, a cruise-based travel agency, will pay $24,752.87 to the state of Colorado in a $1.25 million multistate settlement after a 2019 data breach compromised the personal information of 3,037 Colorado residents. The company also agreed to implement additional data security safeguards to protect consumers’ information in the future.
“Protecting consumers’ personal information is not only required by law, but also is necessary to ensure people aren’t faced with identity theft and the many other problems that can arise when personal information is compromised,” Weiser said in a statement. “Businesses need to be vigilant to protect the personal information of their customers and employees from the actions of hackers and others intent on stealing that information.”
According to the Colorado AG’s Office, in late May 2019, Carnival learned that an employee email address was used to spam other company email accounts. In an apparent business email compromise attack, the intruders compromised 124 Carnival employee email accounts. Ten months later, Carnival notified more than 100,000 consumers nationwide whose personal information was found in the compromised email accounts.
Colorado law requires certain persons and entities to take reasonable steps to protect personal identifying information and dispose of that information when it’s no longer needed.
In the June 22 settlement, Carnival agreed to implement several specific data security safeguards, including a comprehensive information security program and incident response and data breach notification plan.
According to the AG’s Office, the settlement funds will be used for reimbursement of the state’s actual costs and attorneys’ fees, the payment of any restitution and for future consumer fraud or antitrust enforcement, consumer education or public welfare purposes.
Colorado joined a coalition of 45 states and the District of Columbia in this settlement.