Carnival data breach impacts nearly 6 million customers

Carnival is responding to a major data breach that exposed the personal information of millions of passengers, the company disclosed on May 27.

According to a statement published on its website, Carnival Corporation reported that its IT team detected the cybersecurity incident on April 14.

The breach enabled an unauthorized party to access sensitive customer information, including names, addresses, and government-issued identification numbers.

"Carnival Corporation values the trust you place in us, and we take the privacy and security of your information very seriously," the company wrote in the notice. "We deeply regret this incident and any concern it may cause and have sent notification letters to individuals whose data was impacted."

Reports say Carnival’s cybersecurity team first detected the breach on April 14.

The company explained that the incident began when a cybercriminal used a social engineering tactic to deceive an employee and gain access to a limited portion of Carnival’s IT network.

The cruise line said it quickly moved to stop the unauthorized activity and enlisted outside cybersecurity specialists to strengthen its defenses and investigate the incident.

By April 22, the company had confirmed that customer information had been exposed.

Carnival described its review of the affected systems as extensive and time-consuming, noting that the investigation remains ongoing and that the type of compromised data differs among affected individuals.

So far, Carnival has determined that the exposed information may include customers’ names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification details, such as driver’s license and passport numbers.

Although Carnival has not publicly disclosed the total number of people impacted, a filing with Maine’s attorney general indicates that nearly six million individuals may have been affected.

The company is advising customers to closely monitor their financial accounts and credit reports for suspicious activity and is providing two years of complimentary credit monitoring through TransUnion to those affected by the breach.

“In addition to the comprehensive security measures our company had in place prior to the incident, we have taken steps to further safeguard our systems, including enhancing our security and monitoring controls,” Carnival wrote in its release. “Our company will continue to advance our IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.”

Don't miss a single travel story: subscribe to PAX today!  Click here to follow PAX on Facebook.