Carnival Corporation said a social engineering attack on April 14 exposed personal data tied to just under six million people, and the cruise giant began sending direct notices to affected customers on Wednesday. The company said the breach involved names, addresses, email addresses, phone numbers, dates of birth and state identification numbers.
The disclosure marks a sharp turn from Carnival’s earlier position on the incident. At the time of the attack, the company acknowledged a phishing attempt against an employee but did not say whether any data had been accessed or stolen. Now it says the compromise reached far enough to trigger notifications and two years of free credit monitoring through TransUnion.
Carnival, the world’s largest cruise operator, confirmed the breach after hacking crew ShinyHunters claimed to have stolen millions of customer records and said it had lifted terabytes of company data. The filing with the Maine attorney general’s office put the number of affected individuals at just under six million, while the Have I Been Pwned database had previously listed 8.7 million records, leaving a gap between the company’s count and the broader tally that has circulated online.
The scale matters because the exposed information goes beyond basic contact data and includes state identification numbers, which can be used in identity fraud if paired with other personal details. Carnival said a thorough and time-consuming analysis of the impacted data led to the confirmation of what was taken, but it did not say whether any of that material was published, sold or otherwise traded after the intrusion.
That unanswered question is the one that matters most now. Carnival said it has taken steps to further safeguard its systems, including enhancing security and monitoring controls, but the breach’s full downstream impact will depend on whether the stolen material ever leaves the hands of the attackers and how many of the nearly six million affected people face follow-on fraud.
