Carnival Corporation & plc. has provided clarification on a recent data breach, stating that it was triggered after an unauthorized actor used clever tactics to deceive an employee and gain access to a limited portion of the company's IT system.
Now, millions of cruisers have begun receiving emails from Carnival Corp., informing them that their data was impacted during the cybersecurity incident. The company oversees a global portfolio that includes multiple well-known cruise lines, including Carnival Cruise Line, Holland America Line, Princess Cruises, Costa Cruises, Seabourn, and Cunard.
Exposed information included names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers (e.g., driver's license numbers and passport numbers).
However, according to CyberInsider, the leak does not appear to include personal financial account information. That said, it could still be used in targeted phishing attacks, identity fraud, or social engineering campaigns impersonating Carnival Corp. brands or travel partners.
Furthermore, a notice submitted to the Maine Attorney General's Office claimed that 5,995,277 people were impacted, with 9,746 residing in Maine.
"On April 14, 2026, the company's IT security team identified unauthorized activity involving an employee's account," Carnival Corp. said in a public press release.
"The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation the company determined [that] the bad actor illegally accessed certain personal information."
Victims of the data breach were notified by Carnival
In addition to notifying affected individuals via email, Carnival is also offering victims in the U.S. two years of complimentary credit monitoring through TransUnion.
"The notices provide the nature of the information involved and contact details for the dedicated TransUnion call center established to assist with enrollment for eligible individuals and to address any inquiries related to the incident. Individual notifications were issued starting May 27, 2026," the release continues.
Carnival also reminded individuals to remain vigilant against potential identity theft or fraud by regularly reviewing account statements and monitoring credit histories for any signs of unauthorized transactions or suspicious activity.
They also advised anyone who suspects they may be a victim of identity theft or fraud to contact their local police as soon as possible.
Lawsuits filed against Carnival Cruise Line
Following the cyberattack, Carnival Corp. is facing a wave of lawsuits accusing the brand of negligence, which claim that the company had inadequate cybersecurity protocols and failed to promptly notify affected victims.
All three lawsuits were filed against Carnival Corp. in the United States District Court for the Southern District of Florida. The first, filed by Zachary Pottle of Florida, argues that the company didn't have adequate data security protocols in place.
Pottle's legal team adds that Carnival should have been able to foresee that a data breach was possible, given the recent increase in cyberattacks targeting large financial and travel corporations, and take adequate precautions to protect their customers' data.
In her lawsuit, Yvonne Vasquez of California also argued that additional security measures, such as two-factor authentication, should have been in place.
Moreover, the third lawsuit, filed by Ashley Cole of Tennessee, states that ShinyHunters, the cybercriminal group behind the attacks, warned Carnival that data would be leaked if the company did not comply with their demands by April 21, which didn't happen.