Hackers breached Carnival Corporation’s systems in April and exposed personal data tied to nearly 6 million people. Carnival said the hackers used social engineering to compromise an employee account and gain access to a limited portion of the company’s IT systems.
A data-breach filing with the Maine Attorney General’s Office says 5,995,277 people were affected. Carnival’s substitute notice says the compromised information varies by person, but may include names, addresses, email addresses, phone numbers, dates of birth, and, in some cases, passport and driver’s license numbers.
Reuters reported that Carnival discovered the unauthorized activity in April and later determined that personal information had been copied from its systems. The company said it blocked the activity, launched an investigation, brought in outside cybersecurity experts and began notifying affected individuals on May 27. Carnival is offering two years of free credit monitoring and identity-theft protection through TransUnion.
Reactions from affected customers were swift. Some customers discussing the breach online said they were especially concerned that passport numbers were part of the data set, while others complained that Carnival’s offer of free credit monitoring did little to ease their concerns after so many large-scale data leaks in recent years. (Update: a reader stated: “Carnival is only offering 2 years free credit monitoring to US citizens despite TransUnion being a global company. Their international customers are S.O.L.”)
One disgruntled customer whose sensitive information had been leaked said, “Not once do they apologize. I am so tired of these breaches. My kid is 13 and has been involved in like 4 already.”
Escudo Digital, in its article titled While Passengers Soak Up the Sun, Hackers Take Their Own Cruise Through Carnival Customers’ Data, reported that the hacking group ShinyHunters claimed responsibility, although Carnival did not identify any group in its public notice.
This is not the first cyber attack linked to a Carnival-owned cruise line. In 2020, CLN reported on a cyberattack on AIDA cruises and Costa Cruises.
In 2019, a data breach affected Carnival employees’ email accounts and exposed information of about 180,000 customers and workers, according to Escudo Digital. Regulators fined Carnival it $1.25 million for its poor handling of the incident.
The latest breach is far larger in scale: nearly 6 million people were affected, and Carnival’s own notice says passport and driver’s license information was among the data exposed in some cases.
Although this latest data breach was significant, it pales in comparison to other hacks of other well know major corporations. According to Cybercrime magazine, which discusses the top 25 data breaches, the largest largest data breach ever was the Yahoo hack, which affected all of it’s three billion user accounts. The magazine also discusses hacked corporation with compromised data ranging between 76,000,000 (million) and 3,000,000,000 (billion) documents.
Image credit: Hacker image – David Whelan – flicker via common / wikipedia.
June 3, 2026 P.M. Update: From a reader of CLN – “Carnival is only offering 2 years free credit monitoring to US citizens despite TransUnion being a global company. Their international customers are S.O.L.”