Carnival breach 6 million affected after the company said an April social engineering attack gave an unauthorized actor access to a limited part of its IT system. The disclosure covers 5,995,277 people and includes names, email addresses, phone numbers, dates of birth, and driver’s license and passport numbers.
Carnival April Access
Carnival Corporation said in April it identified unauthorized access tied to a single user account after an employee was deceived into opening the door. The company said it blocked the activity, brought in third-party security experts, and alerted law enforcement.
The scale stands out because Carnival serves approximately 13.5 million guests in 2025 across a fleet of 90 ships. A breach affecting nearly 6 million people therefore reaches far beyond a small customer list, and the inclusion of passport and driver’s license numbers turns it into a document-security problem as well as a contact-data problem.
Letters And Credit Monitoring
Carnival later filed a data breach notice with the Maine Attorney General’s office saying 5,995,277 people were affected, then sent notification letters to people it could reach. It is also offering some U.S. travelers two years of free credit monitoring.
The company’s online notice includes the question, “Why am I just finding out about this?” for people it could not reach by letter. The same notice says, “We understand this process can feel slow, and we appreciate your patience,” which points to a review that Carnival itself describes as thorough and time-consuming.
What Affected Travelers Can Expect
Carnival said it was still determining exactly which personal information was compromised, even after naming the categories it has already identified. That leaves affected travelers with a practical choice now: watch for the letter, use the monitoring offer if eligible, and treat identity documents and account credentials with extra caution if their data was in the exposed set.
