Carnival confirms breach exposing nearly 6 million

Carnival Corporation confirmed a data breach after a social‑engineering attack allowed an intruder to access internal systems and copy personal information for 5,995,277 people. The company began sending “Notice of Cybersecurity Event” letters dated May 27, 2026 to inform affected individuals.

According to a notice filed in Maine, the incident began on April 14, 2026, when an employee was tricked into granting access to part of Carnival’s IT environment. By April 22 the attacker was using a compromised account to reach a limited portion of systems and copied files containing personal data before being blocked.

The notification letters use a template that reads, “We have determined that your <<data elements>> were obtained,” indicating Carnival is identifying the specific categories of data exposed for each recipient. Researchers examining the stolen material say it appears to include full names, email addresses, dates of birth, genders, Mariner Society membership status and tier, and internal customer identifiers. Carnival has not published a comprehensive list of affected data fields for the incident.

The extortion group ShinyHunters claimed responsibility and has reportedly made the Carnival data available for download. Records from cruise bookings and loyalty programs are often targeted because they can combine identity, contact and payment details that can be used for identity theft, targeted phishing and financial fraud.

Carnival engaged third‑party cybersecurity experts and is providing affected individuals with a complimentary 24‑month TransUnion credit‑monitoring service through the MyTrueIdentity platform, with Cyberscout supporting fraud assistance. The company’s letters describe the affected systems as a limited subset of its environment.

Between 2019 and 2021 Carnival reported four cybersecurity events to the New York Department of Financial Services, including two ransomware attacks and a phishing incident in which attackers accessed and encrypted internal systems and stole customer and employee information.

The investigation into the 2026 incident is ongoing. Carnival is working with law enforcement and outside specialists and did not disclose whether any ransom was paid. The breach notice warns that cybercriminals often follow data theft with targeted phishing campaigns and other scams impersonating the company or its vendors.

The company advises recipients to review their notification letters to learn which specific data elements were involved and to monitor account statements and credit reports for unusual activity.