Carnival Corporation is offering two years of complimentary credit monitoring to affected U.S. customers after a data breach compromised the personal information of nearly six million people.
The breach occurred in April after a hacker “used social engineering to deceive an employee and gain access to a limited portion of the company’s IT system,” the company said. In a regulatory filing with the Maine Attorney General’s office, Carnival disclosed that the incident exposed the personal data of 5,995,277 people.
The cruise conglomerate, which operates 90 vessels across brands including Princess, Holland America, Cunard and Carnival Cruise Line, reported serving approximately 13.5 million passengers in 2025.
According to Carnival, the compromised data includes names, addresses, email addresses, phone numbers, birth dates and government-issued identification numbers, such as driver’s license and passport numbers.
The company stated that the affected information varied by person and that it was still conducting a “thorough and time-consuming analysis” to figure out exactly what was taken and to whom it belonged.
The company began sending out individual email notifications May 27. It also launched a public webpage to reach people with missing or outdated contact information.
Addressing the timeline on its website, Carnival stated that “complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to, and then to ensure notifications are handled accurately.”
The company stated that its focus shifted immediately to investigating the breach and communicating with affected parties as soon as the activity was stopped.
The timeline has drawn criticism from some customers on online forums like Reddit, where users expressed frustration over the delay and questioned the security of their data.
Additionally, Security Week reported that the extortion collective known as ShinyHunters has claimed responsibility for the breach, though Carnival has not publicly verified this claim or disclosed whether a ransom demand was made.
To mitigate potential fallout, Carnival is partnering with TransUnion to provide two years of free credit monitoring for eligible domestic travelers.
In its release, the company urged people to “remain vigilant against threats of identity theft or fraud” by regularly reviewing account statements and credit histories, and to contact local police if they suspect fraud.
Carnival stated that in addition to the “comprehensive security measures” it had in place before the hack, it had “taken steps to further safeguard its systems, including enhancing its security and monitoring controls.”
The company added that it would continue to advance its defenses to stay ahead of changing threats.
The Independent has reached out to Carnival for comment.