Carnival Corporation says a breach tied to an April social engineering attack exposed the personal information of 5,995,277 people, and the company is now sending notices and offering some U.S. travelers two years of free credit monitoring.
The scale alone makes the disclosure land hard today. Carnival said the compromised data included names, email addresses, phone numbers, dates of birth and driver’s license and passport numbers, a mix of identity details that can follow a traveler long after a trip ends and can be used in fraud if they get into the wrong hands.
In its notice filed with the Maine Attorney General’s office, Carnival said it identified unauthorized access to a limited part of its IT system in April and later concluded that a single user account had been compromised through a social engineering attack. The company said it blocked the activity, brought in third-party security experts and alerted law enforcement after spotting the intrusion.
Carnival said the breach notice and letters are part of a process it described as “slow,” and that its online FAQ includes the question, “Why am I just finding out about this?” for people it was unable to reach by mail. That detail matters because some affected customers were not learning about the breach until well after the April intrusion, even as the company said it had already begun notifying people.
The missing piece is who was behind it. Carnival said an unauthorized actor deceived an employee to gain access, but it has not identified a hacker group or named any specific attacker. The company said it is still carrying out a thorough, time-consuming analysis to determine exactly what was compromised while adding new layers of security and monitoring on top of existing protections.
Carnival’s footprint explains why the breach carries broader weight. The company said its 2025 annual report showed it served about 13.5 million guests on a fleet of 90 ships, through brands including Carnival Cruise Line, AIDA, Costa, Cunard, Holland America, P&O and Princess. For now, the company is focused on notification letters, credit monitoring and damage control, but the unresolved question is how much of those travelers’ identities may already have left Carnival’s systems.
