
by Lacey Pfalz
Last updated: 11:05 AM ET, Thu May 28, 2026
Carnival Corporation & plc disclosed a cybersecurity incident involving guests’ personal information on May 27, 2026.
The corporation, which manages major cruise brands like Carnival Cruise Line, Holland America Line, Princess Cruises and Seabourn, sent impacted individuals a notice via their contact information, and also posted a letter about the incident online.
The incident, according to Carnival, occurred on April 14, 2026 when an employee was deceived using “social engineering,” compromising the account. The bad actor was then able to gain access to a limited part of Carnival’s IT system, gaining access to personal information that includes names, addresses, email addresses, phone numbers, dates of birth and government-issued identification like passport and driver’s license numbers.
Carnival has not determined how many people have been impacted with the data breach, but an investigation is ongoing. The company’s IT security team was able to block the threat actor and is working with third-party security experts to conduct the investigation.
Those who have received official communication from Carnival about the incident have been identified as being part of the data breach. Carnival is offering impacted guests in the U.S. two years of free credit monitoring through TransUnion.
“In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls,” the Carnival data breach notice said. “The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.”
Carnival also encourages those who experience fraud to contact their local law enforcement.
For the latest travel news, updates and deals, subscribe to the daily TravelPulse newsletter.
Topics From This Article to Explore