A single employee fell for a social engineering scam, and nearly 6 million people are now dealing with the fallout.
Carnival Corporation, the world's largest cruise company, announced it identified unauthorized access to part of its IT system in April. The breach affected 5,995,277 people, according to a data breach notice the company filed with the Maine Attorney General's office.
According to Fox News Digital, Carnival said in a statement that "In April, we identified unauthorized access to a limited part of our IT system caused by a social engineering attack on a single user account." The company said it "immediately blocked the activity, engaged third-party security experts and alerted law enforcement."
The personal data exposed includes names, email addresses, phone numbers, dates of birth, and driver's license and passport numbers. Carnival said it is still conducting what it described as "a thorough and time-consuming analysis" to determine the full scope of what was compromised.
The company's portfolio extends well beyond the Carnival Cruise Line brand. Its 90-ship fleet also includes AIDA, Costa, Cunard, Holland America, P&O, and Princess cruise lines. Carnival's 2025 annual report said the company served approximately 13.5 million guests that year, meaning the breach potentially touched nearly half of its annual passenger base.
Carnival said it mailed notification letters to people affected by the breach. For those it could not reach directly, the company posted an online notice that included a FAQ section. One of the questions addressed directly was "Why am I just finding out about this?"
The company's answer: "We understand this process can feel slow, and we appreciate your patience. Complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to, and then to ensure notifications are handled accurately. After identifying and stopping the incident, our focus shifted immediately to investigating it fully and communicating with all impacted parties as soon as we could."
Some customers did not accept that explanation without frustration. Reactions appeared on Reddit's r/CarnivalCruiseFans forum following the notice, though the full extent of those comments was not available in the company's statement.
As a response to the breach, Carnival said it is offering some U.S. travelers two years of free credit monitoring. The company also said it has added new layers of security and monitoring on top of existing protections.
"We're notifying affected individuals and deeply regret any concern this causes," Carnival told Fox News Digital. "Protecting the privacy and security of personal data is a priority for us, and we've added new layers of security and monitoring on top of the comprehensive protections already in place. We'll also continue advancing our defenses against evolving threats."
Affected customers who receive notification letters will likely be directed toward the credit monitoring offer. Those who believe they may have been impacted but did not receive a letter are encouraged to check the company's online notice.
