Carnival Corporation says breach exposed data of 5,995,277 people
carnival corporation says unauthorized access to a limited part of its IT system exposed personal information for 5,995,277 people after a social engineering attack on a single user account in April. The company has started notifying affected people and is offering some U.S. travelers two years of free credit monitoring.
The scope is large even by cruise-industry standards. Carnival served approximately 13.5 million guests in 2025 across a fleet of 90 ships, so a breach affecting nearly 6 million people reaches deep into the customer base that supports its bookings, loyalty records and travel communications.
Carnival Corporation breach details
Carnival said its investigation found that an unauthorized actor deceived an employee to gain access to its system. The company said certain personal information was illegally accessed, including names, email addresses, phone numbers, dates of birth and driver’s license and passport numbers.
That mix matters because it goes beyond routine contact data. Birth dates and government ID numbers are the kinds of details that can be reused across identity checks, travel documents and account recovery steps.
April access and response
In April, Carnival identified the unauthorized access and said it immediately blocked the activity, engaged third-party security experts and alerted law enforcement. The company said it is conducting a thorough and time-consuming analysis to determine exactly what was compromised.
Carnival also said it sent notification letters to affected people. It said it was not able to send letters to some people and addressed concerns about how long the notification process has taken, adding, “We understand this process can feel slow, and we appreciate your patience.”
Credit monitoring for travelers
The company said it is offering some U.S. travelers two years of free credit monitoring. It also said, “We’re notifying affected individuals and deeply regret any concern this causes,” and added, “Protecting the privacy and security of personal data is a priority for us and we've added new layers of security and monitoring on top of the comprehensive protections already in place.”
For affected customers, the immediate practical step is to watch for Carnival’s notice letter and use the credit monitoring if they receive it. The unresolved issue is the final inventory of what each person’s file contained, which Carnival said is still under analysis.
