A press release from Carnival Corporation:
Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident.
This notice is intended to provide the same information included in the notification letters to individuals for whom the company has insufficient or out-of-date contact information. The company also launched a webpage to report the incident publicly on May 27, 2026.
What happened
On April 14, 2026, the company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system. The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation the company determined the bad actor illegally accessed certain personal information.
What Personal Information was involved
The company has been conducting a thorough and time-consuming analysis of the impacted data to determine what personal information it contained and to whom that information belongs. While this analysis is ongoing and the affected data varies by individual, to date, the impacted data is known to include the following personal information: name, address, email address, phone number, date of birth, and government-issued identification number (e.g., driver’s license number and passport number).
What the company is doing
The company is notifying individuals whose personal information was affected via email, as required and where available. The company is offering individuals in the U.S. two years of complimentary credit monitoring through its preferred third-party vendor, TransUnion. The notices provide the nature of the information involved and contact details for the dedicated TransUnion call center established to assist with enrollment for eligible individuals and to address any inquiries related to the incident. Individual notifications were issued starting May 27, 2026.
In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.
What you can do
Together with enrolling in the credit monitoring services being offered to eligible individuals whose data was impacted at no charge, the company encourages ongoing data security precautions:
- Remain vigilant against threats of identity theft or fraud and regularly review and monitor account statements and credit histories for any signs of unauthorized transactions or activity.
- Individuals who suspect they are the victim of identity theft or fraud should contact their local police.
Read more of the press release.
Carnival has already been sued over the incident.
