Cruise giant Carnival Corporation is facing fresh scrutiny after confirming that the personal information of nearly six million customers was exposed in a major cybersecurity breach traced to a social engineering attack.
The world’s largest cruise company said an unauthorized actor gained access to a limited section of its IT network. The incident was detected on April 14, with investigators later determining that customer data had been copied from company systems.
According to regulatory filings, a total of 5,995,277 individuals were affected, making it one of the largest data breaches to hit the travel industry in recent years. Carnival has begun notifying impacted customers. The company is offering eligible U.S. residents two years of complimentary credit monitoring through TransUnion.
The compromised information varies by individual but MAY include names, home addresses, email addresses, phone numbers, dates of birth, and government-issued identification details such as passport and driver’s license numbers. The company said no evidence has emerged that financial account information was involved, although investigations remain ongoing.
The company said it immediately blocked the unauthorized activity and brought in third-party cybersecurity specialists to investigate and strengthen security controls.
Cybersecurity reports have linked the incident to the extortion group ShinyHunters, which allegedly claimed responsibility and said it obtained millions of customer records. Carnival has not publicly attributed the attack to any specific threat actor.
The timing of customer notifications has also generated criticism. Although the breach was discovered in mid-April, notification emails were not sent until May 27, more than six weeks later. Carnival said the delay was necessary to determine exactly what information had been affected and which customers needed to be contacted.
The incident highlights the growing threat that social engineering attacks continue to generate, with cybercriminals targeting employees rather than technical vulnerabilities. Travel companies remain attractive targets because they store large volumes of personal and passport-related data belonging to international travelers.
