Carnival Cruise Line confirms cyber incident exposed personal data

Carnival Cruise Line’s parent company, Carnival Corp., confirmed a cybersecurity incident that exposed personal information belonging to customers and other individuals after a threat actor gained access to an employee account through a social engineering attack.

The company said the incident was detected on April 14, 2026, when unauthorized activity involving a compromised employee account allowed the attacker to access a limited portion of Carnival’s IT systems. The company did not disclose which systems or business areas were affected.

Carnival said it moved quickly to contain the incident by blocking the unauthorized activity and engaging third-party cybersecurity specialists to investigate the breach and strengthen security protections.

The investigation determined that the attacker illegally accessed personal information that varied by individual. The compromised data included names, home addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers associated with passports and driver’s licenses.

Carnival said it has already notified individuals whose information was confirmed to be affected and issued a public notice for people whose contact information may have been outdated or incomplete.

The cruise operator is offering affected U.S. customers two years of complimentary credit monitoring services through TransUnion. Notification emails to impacted individuals began on May 27, 2026.

Carnival said the unauthorized access was carried out through social engineering tactics designed to deceive an employee and gain access to company systems. The company did not disclose the identity of the threat actor or whether any ransomware or extortion demands were involved in the incident.

“In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls,” Carnival said in its statement. “The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.”

The company urged affected individuals to remain alert for potential fraud or identity theft, monitor financial accounts and credit reports, and report suspicious activity to authorities. Carnival did not disclose how many individuals were affected by the incident.