Carnival Data Breach Exposes Personal Data of Nearly 6 Million Customers
May 28, 2026 
Carnival disclosed a data breach affecting nearly 6 million people after hackers used social engineering to access employee accounts.
Carnival Corporation is notifying nearly 6 million people after a data breach exposed personal information. According to the notification shared with the Maine Attorney General’s Office, the total number of persons affected is 5,995,277.
The company said attackers used social engineering to compromise an employee account on April 14, then accessed internal systems and stole files containing customer data.
The incident raises concerns about identity theft risks for affected individuals as investigations and notifications continue.
“On April 14, 2026, the company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system.” reads the notice of data breach. “The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. “As part of this investigation the company determined the bad actor illegally accessed certain personal information.”
The company quickly blocked the intrusion and launched an investigation with the help of external security experts. Investigators later confirmed the attackers accessed personal data that may include names, addresses, emails, phone numbers, dates of birth, and government-issued IDs such as passport and driver’s license numbers.
Carnival started notifying affected individuals on May 27, 2026, and is offering eligible US customers two years of free credit monitoring through TransUnion. The company said it improved its security and monitoring systems after the security incident and continues to improve data protection measures. The company urged customers to monitor bank accounts and credit reports for suspicious activity and contact police if they suspect identity theft or fraud.
In April, the popular cybercrime group ShinyHunters claimed the attack and the theft of 8.7 million records.
This isn’t the first data breach disclosed by the cruise line operator, other incident occurred in March 2021, August 2020, and May 2019.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Stephan is the sports journalist for the Maple Grove Report.
