Nearly 6 million individuals affected in Carnival Cruise Line data breach

Carnival Corporation, the operator of one of the world’s largest fleet of luxury cruise ships, has announced that a data security incident earlier this year compromised the sensitive personal information of nearly 6 million individuals.

 

Headquartered in Miami, Carnival Cruise Line is one of the world’s largest cruise companies, offering affordable and entertaining vacations to destinations like the Caribbean, Alaska, and Europe. The company operates a large fleet of ships featuring dining, entertainment, and family-friendly activities for millions of travelers each year.

 

In a data security incident notice filed with the Office of Maine Attorney General, Carnival Corporation, the operator of the Carnival Cruise Line, said that on April 14, its IT team discovered unauthorised access involving an employee account. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“On April 22, 2026, the Company first determined that the bad actor illegally copied personal information,” Carnival Corporation said. “The Company acted swiftly to block the unauthorised activity and immediately began working with third party security experts to further strengthen our security and to conduct a thorough investigation.” 

 

The compromised data included names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers including Social Security numbers. The filing with the Maine state regulator also states that Carnival Cruise has identified at least 5,995,277 individuals who were impacted by the incident.

 

The cruise ship operator has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through TransUnion to all affected individuals.

 

The ShinyHunters hacker group claimed responsibility for the cyberattack on Carnival Cruise Line, listing the company as a victim on its data leak site. The group claimed it had obtained 8.7 million records from Carnival’s systems and published the data in late April, indicating that ransom negotiations had failed.