Carnival Corp said it detected a cybersecurity incident after an employee account was compromised in April, leading to the exposure of certain personal information belonging to affected individuals. The company said the leaked data may include names, addresses and government-issued identification numbers.
According to Carnival, the unauthorized access was carried out through social engineering, a tactic used to deceive an employee and gain entry to protected data. The cruise operator said it quickly blocked the activity once it was discovered and has since brought in third-party security experts to conduct a full investigation into the incident.
Carnival said it began notifying affected individuals by email where possible, with notifications starting on May 27. U.S. customers affected by the breach are being offered two years of free credit monitoring through TransUnion. The company also urged impacted people to enroll in the monitoring service, stay alert for signs of fraud, check account activity and credit reports regularly, and report any suspected identity theft to local authorities.
The company said it has strengthened its security and monitoring controls and will continue improving its information technology and data protection measures. Carnival did not immediately disclose how many people were affected by the breach.
The incident adds to growing concerns over cybersecurity risks facing major companies that store sensitive personal information. It also follows a prior 2021 incident in which Carnival said unauthorized access affected personal information of some guests, employees and crew across Carnival Cruise Line, Holland America Line, Princess Cruises and its medical operations.
Carnival’s disclosure comes as businesses across industries continue to deal with increasingly sophisticated cyberattacks that often rely on manipulating employees rather than exploiting technical flaws alone. Social engineering attacks can be particularly difficult to prevent because they target human behavior and trust, making staff training and security awareness a critical part of corporate defenses.
The company said it is continuing to assess the scope of the breach and will work to protect affected customers and employees as the investigation proceeds.
