The world’s most popular cruise line has suffered a major data breach, possibly exposing personal information of millions of passengers.
Carnival Cruise Line announced last month that its systems suffered a cyberattack in April, allowing an ‘unauthorized actor’ to access name, address, email address, phone number, date of birth and government-issued identification number, including driver’s licenses and passports.
The cruise giant disclosed that hackers gained access to a limited portion of its IT systems after manipulating an employee through a so-called ‘social engineering’ attack, a tactic that relies on deception rather than technical vulnerabilities.
Carnival said its security team detected the intrusion on April 14 and immediately moved to contain the breach while launching an investigation with outside cybersecurity experts.
Within days, investigators determined that passenger data had been accessed, including names, home addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers such as driver’s licenses and passports.
Although Carnival did not disclose the total number of affected customers in its public statement, a filing submitted to the Maine Attorney General’s Office revealed that 5,995,277 people may have been impacted.
The company has begun notifying affected passengers and is offering two years of complimentary credit monitoring and identity protection services through TransUnion.
In a statement, Carnival said it ‘deeply regrets this incident and any concern it may cause,’ adding that it has implemented additional security measures and monitoring tools to help prevent future attacks
Carnival Cruise Line announced last month that its systems suffered a cyberattack in April, allowing an ‘unauthorized actor’ to access name, address, email address, phone number, date of birth and government-issued identification number, including driver’s licenses and passports
Carnival has taken further steps to deploy additional safeguards onto our systems, including implementing enhanced security and monitoring controls,’ the company said.
‘We remain committed to ongoing information security reviews to strengthen our security and privacy programs and controls.’
Carnival Cruise Line has faced a string of cybersecurity incidents over the past several years, with breaches exposing sensitive information belonging to customers and employees and raising questions about the security of its systems.
The first major incident emerged in March 2020 when Carnival Corporation, the parent company, disclosed that unauthorized actors had gained access to company systems months earlier, in May 2019.
According to the company, the breach affected systems associated with multiple cruise brands and exposed personal information belonging to customers and employees.
The compromised data reportedly included names, passport numbers, health information and other sensitive details.
While Carnival said it identified the intrusion in May 2019, the company did not publicly reveal the incident until nearly a year later.
Just months after that disclosure, Carnival was hit by another cyberattack.
On August 15, 2020, the company detected a ransomware attack that affected one of its cruise brands.
Cybercriminals infiltrated parts of Carnival’s information technology network, encrypted files and stole data from company systems.
Carnival warned at the time that the attack could affect guests, employees and business operations.
The seriousness of the incident prompted the company to file a report with the Securities and Exchange Commission, informing investors that hackers had gained unauthorized access to portions of its network.
The fallout from the ransomware attack revealed that personal information had once again been compromised.
Carnival later confirmed that exposed records included names, addresses, dates of birth and passport numbers. In some cases, the breach also involved employee Social Security numbers and health-related information, increasing concerns about the potential for identity theft and fraud.
Security researchers have noted that the 2020 incidents were not isolated events.
Between 2019 and 2021, Carnival disclosed multiple cybersecurity issues, including two ransomware attacks, a phishing-related compromise and malware infections that resulted in unauthorized access to customer and employee information.
The repeated incidents placed the cruise giant among a growing number of major corporations struggling to defend against increasingly sophisticated cyber threats.
The company’s cybersecurity challenges resurfaced again in 2026 with what became one of the largest data breaches in its history.
Carnival disclosed that an attacker used social engineering techniques to trick an employee into providing access to internal systems.
Unlike attacks that exploit software vulnerabilities, social engineering relies on manipulating people into granting access or revealing sensitive information.
The breach ultimately affected nearly six million individuals, making it one of the most significant cybersecurity incidents ever reported by the company.
According to Carnival, exposed information included names, contact details, dates of birth and government-issued identification numbers such as driver’s license and passport information.
The incident highlighted the growing threat posed by human-focused cyberattacks, which have become increasingly common as hackers target employees rather than attempting to break through technical defenses.
