Cruise giant Carnival Corporation is warning that a springtime cyberattack may have spilled the personal data of nearly six million customers, after scammers reportedly tricked a single employee and slipped into a slice of the company’s IT systems. The Miami-based operator says affected U.S. customers are being offered two years of free credit monitoring through TransUnion.
What Carnival Is Saying Now
In a notice posted May 27, Carnival Corporation said its IT security team spotted unauthorized activity involving an employee account on April 14 and confirmed on April 22 that files had been copied.
"We deeply regret this incident and any concern it may cause," the company wrote, adding that it brought in outside security experts to investigate and tighten defenses. Carnival said individual email notifications began going out May 27 and that eligible U.S. residents are being offered 24 months of complimentary credit monitoring.
How Many People Were Hit
A filing with the Maine Attorney General’s Office puts the total at 5,995,277 people, including 9,746 Maine residents. Reporting from Malwarebytes noted that Carnival did not publish a nationwide count in its initial public statement, leaving the state filing as the clearest public tally so far.
Separate coverage by Computer Weekly reports that the extortion group ShinyHunters claimed roughly 8.7 million records and that Have I Been Pwned flagged about 7.5 million unique email addresses tied to the leak, though those threat-actor claims remain unverified.
What Data May Have Been Exposed
Carnival’s notification letter says the copied files are known to contain some combination of name, postal address, email address, phone number, date of birth and government-issued identification numbers, including driver’s license and passport numbers.
The company has set up a TransUnion enrollment line for U.S. residents and, according to the mailed notice and related reporting, lists 1-844-593-8310 for questions. Because the specific data fields vary from person to person, Carnival is telling recipients to read their individual notice carefully to see exactly what information may apply to them.
Legal Heat And Consumer Headaches
At least one plaintiffs’ firm has announced an investigation into potential claims tied to the incident, according to a recent law-firm press release. The combination of a detailed state filing and exposed government-ID data raises the risk of identity theft and could invite closer scrutiny from regulators under state breach-notification laws.
If you received a notice from Carnival, the company is urging you to follow the instructions to enroll in the TransUnion services or call the number provided, and to keep a close eye on bank and credit-card statements for suspicious charges. Consumers can place fraud alerts or security freezes and are advised to report suspected identity theft to the Federal Trade Commission. Security analysts also warn that breaches like this often trigger slick follow-up phishing scams that name-check loyalty programs or recent travel, so it is wise to treat unexpected emails or calls with extra skepticism.
