Carnival data breach exposes nearly 6 million people’s personal data

Carnival Corporation has confirmed a data breach affecting nearly 6 million people, and the fallout could reach travelers who may not think of themselves as Carnival customers.

The company says the incident involved a social engineering attack on a single user account. In other words, someone fooled an employee and gained access to part of Carnival’s IT system.

For cruise customers, the real concern starts after the breach. Stolen personal details can help scammers write messages that feel far more believable. Here is what may have been exposed, what Have I Been Pwned found in the leaked data and what you can do now to protect yourself.

Join CyberGuy Live: Lock Down Your Phone in 30 Minutes (Saturday, June 13, 10 a.m. ET)

• Your phone holds your email, passwords, photos, banking apps and personal data. In this free, live online class, Kurt the CyberGuy will walk you step by step through simple phone security fixes you can do in real time. You’ll learn how to improve your privacy settings, spot the latest phone scams, use trusted security tools and walk away with a simple checklist to stay protected. Register here: CyberGuyLive.com

MAJOR CRUISE LINE HACK EXPOSES SENSITIVE DATA OF NEARLY 6 MILLION TRAVELERS

What information was exposed in the Carnival breach?

Carnival Corporation says the breach began with a social engineering attack on a single user account. An unauthorized actor gained access to a limited part of the company’s IT system. Carnival says it immediately blocked the activity, brought in third-party security experts and alerted law enforcement.

A Carnival Corporation spokesperson told CyberGuy,

“In April, we identified unauthorized access to a limited part of our IT system caused by a social engineering attack on a single user account. We immediately blocked the activity, engaged third-party security experts and alerted law enforcement. Our investigation found certain personal information was illegally accessed. We’re notifying affected individuals and deeply regret any concern this causes. Protecting the privacy and security of personal data is a priority for us and we’ve added new layers of security and monitoring on top of the comprehensive protections already in place. We’ll also continue advancing our defenses against evolving threats.”

State breach reporting shows 5,995,277 people were affected. Carnival says the impacted data varies by individual. However, the company says the information known to be involved includes names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, such as driver’s license numbers and passport numbers.

What Have I Been Pwned found in the leaked Carnival data

Have I Been Pwned also analyzed the data published by ShinyHunters and said it contained 8.7 million records with 7.5 million unique email addresses. That data appeared tied to Holland America’s Mariner Society loyalty program and included names, dates of birth, email addresses, genders, geographic locations, salutations and loyalty program details.

That means this breach could affect you even if you think of yourself as a Holland America customer, not a Carnival customer. Even without a credit card number, this type of data can create problems. Criminals can use it to build fake emails, texts and calls that sound like they came from a real cruise brand. For example, a scammer could mention loyalty points, an upcoming trip, a refund or a cabin upgrade. That one familiar detail may be enough to get you to click.

What ShinyHunters claimed about Carnival

Carnival has not publicly confirmed that ShinyHunters carried out the attack. However, the extortion gang claimed responsibility in April 2026 and said it stole millions of records and internal corporate data.

ShinyHunters has also been tied to broader data theft and extortion activity involving Salesforce customers. The group often pressures companies by threatening to leak or sell stolen information.

The FBI has warned victims not to pay ransom demands from the group. Paying does not guarantee stolen data will be deleted. It also does not stop criminals from trying to extort victims again.

For you, the concern is what happens next. Once your data leaks, scammers may try to use it in emails, texts or calls that sound more believable than the usual junk.

Why the Carnival breach could put you at risk

Travel scams work because they catch you when you are excited, rushed or distracted. Maybe you booked a cruise years ago. Maybe you joined a loyalty program and forgot about it. Maybe you sailed with Holland America, Princess Cruises or another Carnival-owned brand. That old account can still have value to criminals.

Carnival has also dealt with several cybersecurity incidents before. The company disclosed breaches in March 2020 and June 2021 after attackers accessed employee email accounts. Ransomware incidents in August 2020 and December 2020 also exposed personal information tied to Carnival customers and employees.

That history does not mean every Carnival customer will face fraud. But it does show why old travel accounts deserve attention. A loyalty account can reveal more than points. It can connect your name, email, birthday, travel history and brand preferences.

That gives scammers more ways to sound convincing. A fake email may claim your loyalty points are expiring. A text may say you qualify for a refund. A caller may say your account needs verification. Those tricks can lead to stolen passwords, malware, fake payment pages or identity theft attempts.

HOW TO PROTECT YOUR ONLINE PRIVACY AND SECURITY ON YOUR NEXT CRUISE VACATION

Carnival Corporation confirmed a data breach affecting nearly 6 million people after a social engineering attack on a single user account. (Patrick Connolly/Orlando Sentinel/Tribune News Service via Getty Images)

Ways to stay safe after the Carnival breach

If you receive a Carnival breach notice, read it closely so you know what information may have been involved. Some impacted data may include government-issued identification numbers, so take these steps to lock down your accounts, spot fake cruise messages and reduce the chances that scammers can use your personal details against you.

1) Review Carnival’s offer for credit monitoring

Carnival says it is offering eligible U.S. individuals two years of complimentary credit monitoring. If you receive a notice, use the contact details in that notice or Carnival’s official breach webpage. Do not trust random links in emails, texts or search ads claiming to help you enroll.

2) Change your cruise account passwords

Go directly to the official website or app. Do not click a link from an email or text. Use a strong, unique password for every travel account. A password manager can help you create and store better passwords. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

3) Turn on two-factor authentication

Two-factor authentication (2FA) adds another layer of protection. Even if someone steals your password, they still need a second approval. Use an authentication app when possible. Text codes help, but they can be weaker if a scammer tries a SIM swap attack.

4) Watch for fake cruise emails and texts

Be suspicious of messages about refunds, loyalty points, upgrades, cancellations or account verification. Scammers love urgent wording. They want you to click before you think. Instead, go straight to the company’s website or app. Check your account there.

5) Use a data removal service

A data removal service will not undo the Carnival breach. However, it can help remove your personal information from data broker and people-search sites. That can make it harder for scammers to combine leaked breach data with your home address, phone number, relatives’ names or other details found online. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

6) Use strong antivirus protection

Breaches often lead to phishing emails with dangerous links or attachments. Strong antivirus protection can help block malicious websites, scam pages and malware before they do damage. Also, keep your phone, tablet and computer updated. Security updates close holes that criminals try to exploit. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.

7) Do not share personal details with callers

If someone calls and claims to represent a cruise line, do not give out your date of birth, payment details or login codes. Hang up and call the company using a number from its official website.

10 SIGNS YOUR PERSONAL DATA IS BEING SOLD ONLINE

Travelers can reduce risk after the Carnival breach by changing passwords, enabling two-factor authentication and monitoring credit reports. (Daniel de la Hoz/Getty Images)

8) Monitor your bank and credit card accounts

Check your statements for charges you do not recognize. Small test charges can show up before larger fraud attempts. Report suspicious activity right away. Many banks also let you lock a card from the app while you investigate.

9) Consider a credit freeze

A credit freeze can block criminals from opening new credit accounts in your name. You can freeze your credit for free with Equifax, Experian and TransUnion. You can also lift the freeze when you need to apply for credit.

10) Review your credit reports

Check your credit reports for accounts, addresses or inquiries you do not recognize. You can get free weekly credit reports from the three major credit bureaus at AnnualCreditReport.com.

11) Watch for misuse of your ID documents

Because Carnival says some impacted data may include driver’s license or passport numbers, be extra cautious with messages asking you to “verify” your identity. Do not upload a photo of your ID through a link in an email or text. Go directly to the official company, bank or government website instead.

12) Consider identity theft protection

Identity theft protection can help monitor your personal information, credit files and financial activity for warning signs of fraud. Some plans also include breach or dark web monitoring, which can alert you if your email address or other personal details appear in known leaks. See my tips and best picks on Best Identity Theft Protection at Cyberguy.com

13) Save the breach notice

Keep a copy of any notice you receive from Carnival. It may explain what information was involved and what support the company offers. Be careful with fake settlement or claim websites. Scammers often create lookalike pages after major breaches.

Kurt’s key takeaways

The Carnival data breach shows why travel accounts need the same care as banking, shopping and email accounts. A cruise may last a week, but the data you shared can stick around for years. Take a few minutes now to tighten your accounts. Change reused passwords, watch for cruise-themed scams and consider freezing your credit if you want stronger protection.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Have travel companies earned enough trust to keep collecting so much personal data, or should loyalty programs start asking for far less? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report

• Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
• For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
• Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.