Key Aspects:
- Carnival has begun notifying people whose personal data was leaked in a cyber-attack earlier this year.
- Nearly 6 million people were impacted by the attack from the extortion group ShinyHunters.
- Carnival is offering those affected a free 2-year credit-monitoring service subscription.
Millions of people have begun receiving emails from Carnival Corporation, the parent company of Carnival Cruise Line, informing them that their personal data was leaked in a cyber-attack earlier this year. The Miami-based cruise company has also issued a notice on its website.
“Unfortunately, we are writing to inform you of a recent cybersecurity event affecting certain of your personal information,” the company wrote in the notice.
“We have been conducting a thorough and time-consuming analysis of the impacted data to determine what personal information it contained and to whom that information belongs.“
Cruise Hive reported on the original attack as news broke in mid-April this year. At that time, it was reported that more than 8.7 million records had been stolen by the extortion group, ShinyHunters, but it was unknown how much of that was personal data vs corporate data.
This escalated when, by the end of April, three lawsuits were already filed against the cruise line, accusing them of negligence in the handling of customers’ personal data.
On May 27, 2026, the company disclosed the exact number of impacted people to U.S. authorities: 5,995,277, just shy of six million people.
The notices were sent out to those impacted on the same day.
“While this analysis is ongoing and the affected data varies by individual, to date, the impacted data is known to include the following personal information: name, address, email address, phone number, date of birth, and government-issued identification number (e.g., driver’s license number and passport number),” the notice said.
One VIFP member, whose passport number was leaked in the attack, posted his notice on Facebook.
“Thank you Carnival Cruise for giving out my confidential information!” he posted.
According to CyberInsider, the leak does not appear to include credit card details or passwords, but names, birthdates, VIFP loyalty status data, and other identifying information may be included.
What is Carnival Doing About It?
According to the notice, Carnival has been hard at work enhancing and further safeguarding its cybersecurity systems, though that’s little consolation to the nearly six million people already affected.
For them, Carnival is offering a free, 24-month subscription to TransUnion’s credit monitoring service. With a provided activation code, guests can register for free with TransUnion by August 31, 2026. This service monitors your credit and flags potential fraud or suspicious activity.
Carnival Corporation has also set up a dedicated call center for questions about the data breach and the TransUnion services offered.
While Carnival is taking these actions, they still warn impacted people to be vigilant and aware of identity theft or other cyber threats.Â
“If you ever suspect that you are the victim of identity theft or fraud, you can contact your local police,” the notice reads.
While it does seem like Carnival Corporation is doing the right things in response, with nearly six million people affected, this is surely not the last we’ll hear of this cybersecurity snafu.
