New York’s Department of Financial Services has fined cruise line operator Carnival Corp $5m for what were described as significant cybersecurity violations. The fine followed four security breaches between 2019 and 2021 that the state regulator said had exposed substantial amounts of sensitive customer data.
Carnival was said to have violated a state cybersecurity regulation by failing to use multi-factor authentication, which would have made it harder for hackers to access its internal network. It also said Carnival failed to report one breach and conduct adequate cybersecurity awareness training for employees.
The regulator said the failures caused Carnival to file improper cybersecurity compliance certifications from 2018 to 2020.
Carnival was at the time licensed to sell insurance in New York, which the Miami-based company no longer does. Two of the breaches involved ransomware attacks, the regulator said.
Carnival noted that it had cooperated with the regulator and admitted no wrongdoing, and that data privacy and protection were “extremely important” to the company.
Carnival reached a separate $1.25m settlement on Thursday with the attorneys general of 45 US states and Washington DC over one of the breaches.
The news came a short time after Carnival had issued a bullish Q2 update that pushed the company’s share price up by 11%.
Although the company recorded an adjusted net loss of $1.9bn for Q2, cash from operations turned positive. Revenue increased by nearly 50% quarter on quarter. However, revenue per passenger cruise day (PCD) for Q2 decreased slightly compared to a strong 2019, the last comparable pre-pandemic period.
Occupancy rose to 69%, from 54% in Q1.
As of June 24, 2022, 91% of the company’s capacity is in guest cruise operation.
Booking volumes made during Q2 for all future sailings were nearly double the booking volumes during the previous quarter – the best quarterly booking volumes since the beginning of the pandemic.
Outgoing CEO and president Arnold Donald said that Carnival was “aggressively, yet thoughtfully, ramping up to full operations with over 90% of the fleet now in service”.
While the company said that its adjusted cruise costs excluding fuel had benefited from the sale of smaller-less efficient ships and the delivery of larger-more efficient ships, this benefit had been offset by a portion of its fleet being in pause status for part of the year, as well as restart-related expenses, an increase in the number of dry-dock days, the cost of maintaining enhanced health and safety protocols, inflation, and supply chain disruptions. The company anticipated that some of these costs and expenses would end in 2022. The company continued to expect to see a significant improvement in adjusted cruise costs, excluding fuel, from H1 to H2 2022, with a mid-teens increase for the full year 2022 compared to 2019.
Nevertheless the company expects a net loss for Q3 2022 and for the full year.