Skip to Content

Colorado to receive nearly $25k in multistate settlement for 2019 Carnival data breach


DENVER, Colo. (KRDO) -- Carnival, a cruise-based travel agency, is set to pay the state of Colorado nearly $25,000 in a $1.25 million multistate settlement regarding a data breach that compromised personal information.

According to Colorado Attorney General Phil Weiser, a Carnival learned that an employee's email address was used to spam other company email accounts in late May 2019. In an apparent business email compromise attack, the intruders compromised 124 Carnival employee email accounts.

According to the AG's Office, ten months later, Carnival provided notice to more than 100,000 consumers nationwide whose personal information was found in the compromised email accounts. Of those consumers, 3,037 were Colorado residents.

In Wednesday's settlement, Carnival agreed to implement several specific data security safeguards, including a comprehensive information security program and incident response and data breach notification plan to provide additional protections for consumers.

In total, Colorado is set to receive $24,757.87 from the settlement. The AG's Office said the funds will be used to reimburse the state's actual costs and attorney's fees, the payment of restitution if any, and for future consumer fraud or antitrust enforcement, consumer education, or public welfare purposes.

“Protecting consumers’ personal information is not only required by law, but also is necessary to ensure people aren’t faced with identity theft and the many other problems that can arise when personal information is compromised,” Weiser said in a press release. “Businesses need to be vigilant to protect the personal information of their customers and employees from the actions of hackers and others intent on stealing that information.”

The settlement included 45 states and the District of Columbia.

For more information about Colorado’s data protection laws, click here.

Consumers who believe their personal information may have been compromised and their identity stolen, view Stop Fraud Colorado’s identity theft repair kit here.




  1. Interesting how our State is going to receive compensation, but not necessarily any of the people directly affected by the data breach.

    1. Yeah, I saw that too. The victims should have been compensated first. The AG’s Office is already taxpayer funded, so their expenses are covered.

Leave a Reply

Skip to content