Carnival breach exposed nearly 6 million travelers

Carnival Corporation began notifying customers on May 27 that an April cybersecurity incident exposed personal information tied to nearly 6 million people, according to the company’s public notice and a filing with the Maine attorney general. The Miami-based cruise operator said its IT security team identified unauthorized activity involving an employee account on April 14. Carnival said an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of its IT system. The company said it later determined on April 22 that personal information had been illegally copied. ### How many people were affected? The Maine attorney general’s breach notice lists 5,995,277 affected individuals, including 9,746 Maine residents. Carnival’s website notice does not state the total publicly, but says notification letters were sent to people whose data was impacted and that substitute notice was posted for people with insufficient or outdated contact information. (carnivalcorp.com) Travel Weekly reported on June 1 that the breach affected nearly 6 million people, citing the Maine filing. Carnival’s own media center lists a May 27 item titled “Carnival Corporation Notice of Data Breach” stating that notification letters had been sent to individuals affected by the April 2026 incident. ### What information does Carnival say was exposed? Carnival said the affected data varies by individual, but the information identified so far includes names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers such as driver’s license and passport numbers. (maine.gov) The company said its analysis of the impacted data was still ongoing when it posted the notice. (travelweekly.com) The Maine filing describes the acquired information as a name or other personal identifier in combination with other personal data. That filing also says consumer notifications began on May 27. ### How did Carnival say the breach happened? Carnival said the incident began with unauthorized activity involving an employee account and that the attacker used social engineering to deceive an employee. (carnivalcorp.com) The company said it moved to block the activity and brought in third-party security experts to investigate and strengthen its systems. The company’s notice says it has since enhanced security and monitoring controls and will continue to advance its IT security and data privacy controls. (maine.gov) Carnival also said it notified law enforcement and appropriate regulators, according to reporting that cited the company’s statements. ### What is Carnival offering affected customers? Carnival said U.S. individuals whose data was affected are being offered two years of complimentary credit monitoring through TransUnion. (carnivalcorp.com) The substitute notice says the company set up a dedicated TransUnion call center to help eligible individuals enroll and answer questions. Travel Weekly reported that the call center number provided in the notice is 1-844-593-8310. (carnivalcorp.com) Carnival’s public notice also urges people to monitor account statements and credit histories for signs of unauthorized activity. ### What happens next for customers? Carnival’s notice says individual notifications were issued starting May 27, and the company posted substitute notice online for people it could not reach directly. (carnivalcorp.com) The Maine filing says the breach occurred on April 10 and was discovered on April 14, providing the timeline regulators received. U.S. customers who receive notice can enroll in the 24-month TransUnion monitoring service described in Carnival’s letter. (travelweekly.com) People seeking details about whether their data was involved are being directed to the assistance resources listed in Carnival’s notice and state breach filing. (carnivalcorp.com)