UMVA has learned that Carnival Corporation, the world’s largest cruise operator, suffered a massive data breach that exposed the personal details of nearly six million travelers.
The intrusion began with a social‑engineering ploy that duped a single employee, granting hackers a foothold inside a limited segment of the company’s IT infrastructure. Once discovered, Carnival swiftly blocked the breach, called in third‑party security experts, and notified law enforcement.
According to information obtained by UMVA, the attackers siphoned names, email addresses, phone numbers, dates of birth, and even driver’s license and passport numbers. The breach, filed with the Maine Attorney General, affected 5,995,277 individuals.
Carnival, which served roughly 13.5 million guests in 2025 across its fleet of 90 ships, is now offering U.S. customers two years of complimentary credit‑monitoring through a leading vendor. The company urges those impacted to vigilantly watch their accounts and contact authorities if any suspicious activity appears.
In a statement, Carnival emphasized that protecting personal data remains a top priority and that new security layers have been added atop existing safeguards. The firm pledged to continue bolstering defenses against evolving cyber threats.
Customers voiced frustration online, questioning why notification took so long and demanding compensation or vouchers for future voyages. Some speculated that the breach could be linked to the notorious extortion group ShinyHunters, though Carnival has not confirmed any ransom negotiations or the ultimate destination of the stolen data.
UMVA can exclusively reveal that Carnival’s internal investigation is still underway, with a thorough analysis aimed at pinpointing every piece of compromised information. The company acknowledges the complexity of such incidents and apologizes for the delay in informing affected travelers.