It appears that Carnival Cruise has entered unforgiving waters.
The travel giant known for smooth sailing has just put nearly 6 million of their passengers at risk, but not on deck. In April, Carnival Corporation, the parent company that operates Carnival Cruise and other brands such as Holland America, was targeted in a cybersecurity attack that leaked sensitive data on millions of customers.
Led by extortion hackers ShinyHunters, the data was leaked after the company allegedly neglected to discuss ransom payments, according to reports. While the analysis is ongoing, compromised data includes personal information such as name, address, email address, phone number, date of birth, along with driver’s license and passport numbers, the company said in a statement.
But impacted customers were only notified this week, over a month after the breach. The company recalls that on April 14, 2026, unauthorized activity involving an employee’s account was identified, and despite the company’s swift response from its IT security team, the fraudulent “actor” gained access to the cruise’s IT system and illegally copied customers’ personal information.
Carnival’s statement, which addressed the lapse in notification, a 5-week period during which information could have increased security for their private information, was vague.
“Why am I just finding out about this? We understand this process can feel slow, and we appreciate your patience. Complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to, and then to ensure notifications are handled accurately,” the statement read.
On top of a delayed response, Carnival’s mea culpa? Two years of complimentary credit monitoring through TransUnion.
“The one piece of my data I had that had not been previously leaked was my passport number,” said one annoyed customer whose identity had been compromised. “Well, thanks Carnival! Personally I think the offer of free credit monitoring is crap. I have this many times over already from other sites data leaks.”
“Not once do they apologize. I am so tired of these breaches. My kid is 13 and been involved in like 4 already,” said another user on Reddit.
Other customers questioned why they were offered travel vouchers, especially given the risk of identity theft.
If this feels familiar, it’s because it is. Over the last several years, the world’s largest cruise operator has earned a track record of data breaches and ransomware incidents, with this most recent “Cybersecurity Event” adding to its lengthy history.
Just last month, the company also canceled thousands of bookings made at unusually low prices due to another technology glitch, which apparently wasn’t the first time either. Critics were quick to point out that the following event was laughable, but ultimately expected.
What seems most egregious here is the disclosure lag, which some are calling anecdotally the worst ever. And even with the limp support, the data affected will likely outlive the supervision.
A representative from Carnival says the company deeply regrets the incident and assures that protecting the privacy and security of personal data is a top priority.
“We’ve added new layers of security and monitoring on top of the comprehensive protections already in place,” the rep said. “We’ll also continue advancing our defenses against evolving threats.”
