Carnival breach may put your travel data at risk
Carnival Corporation has confirmed a data breach affecting nearly 6 million people, and the fallout could reach travelers who may not think of themselves as Carnival customers.
The company says the incident involved a social engineering attack on a single user account. In other words, someone fooled an employee and gained access to part of Carnival's IT system.
For cruise customers, the real concern starts after the breach. Stolen personal details can help scammers write messages that feel far more believable. Here is what may have been exposed, what Have I Been Pwned found in the leaked data and what you can do now to protect yourself.
MAJOR CRUISE LINE HACK EXPOSES SENSITIVE DATA OF NEARLY 6 MILLION TRAVELERS
Carnival Corporation says the breach began with a social engineering attack on a single user account. An unauthorized actor gained access to a limited part of the company's IT system. Carnival says it immediately blocked the activity, brought in third-party security experts and alerted law enforcement.
A Carnival Corporation spokesperson told CyberGuy,
"In April, we identified unauthorized access to a limited part of our IT system caused by a social engineering attack on a single user account. We immediately blocked the activity, engaged third-party security experts and alerted law enforcement. Our investigation found certain personal information was illegally accessed. We're notifying affected individuals and deeply regret any concern this causes. Protecting the privacy and security of personal data is a priority for us and we've added new layers of security and monitoring on top of the comprehensive protections already in place. We'll also continue advancing our defenses against evolving threats."
State breach reporting shows 5,995,277 people were affected. Carnival says the impacted data varies by individual. However, the company says the information known to be involved includes names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, such as driver's license numbers and passport numbers.
Have I Been Pwned also analyzed the data published by ShinyHunters and said it contained 8.7 million records with 7.5 million unique email addresses. That data appeared tied to Holland America's Mariner Society loyalty program and included names, dates of birth, email addresses, genders, geographic locations, salutations and loyalty program details.
That means this breach could affect you even if you think of yourself as a Holland America customer, not a Carnival customer. Even without a credit card number, this type of data can create problems. Criminals can use it to build fake emails, texts and calls that sound like they came from a real cruise brand. For example, a scammer could mention loyalty points, an upcoming trip, a refund or a cabin upgrade. That one familiar detail may be enough to get you to click.
Carnival has not publicly confirmed that ShinyHunters carried out the attack. However, the extortion gang claimed responsibility in April 2026 and said it stole millions of records and internal corporate data.
ShinyHunters has also been tied to broader data theft and extortion activity involving Salesforce customers. The group often pressures companies by threatening to leak or sell stolen information.
The FBI has warned victims not to pay ransom demands from the group. Paying does not guarantee stolen data will be deleted. It also does not stop criminals from trying to extort victims again.
For you, the concern is what happens next. Once your data leaks, scammers may try to use it in emails, texts or calls that sound more believable than the usual junk.
Travel scams work because they catch you when you are excited, rushed or distracted. Maybe you booked a cruise years ago. Maybe you joined a loyalty program and forgot about it. Maybe you sailed with Holland America, Princess Cruises or another Carnival-owned brand. That old account can still have value to criminals.
Carnival has also dealt with several cybersecurity incidents before. The company disclosed breaches in March 2020 and June 2021 after attackers accessed employee email accounts. Ransomware incidents in August 2020 and December 2020 also exposed personal information tied to Carnival customers and employees.
That history does not mean every Carnival customer will face fraud. But it does show why old travel accounts deserve attention. A loyalty account can reveal more than points. It can connect your name, email, birthday, travel history and brand preferences.
That gives scammers more ways to sound convincing. A fake email may claim your loyalty points are expiring. A text may say you qualify for a refund. A caller may say your account needs verification. Those tricks can lead to stolen passwords, malware, fake payment pages or identity theft attempts.
HOW TO PROTECT YOUR ONLINE PRIVACY AND SECURITY ON YOUR NEXT CRUISE VACATION
If you receive a Carnival breach notice, read it closely so you know what information may have been involved. Some impacted data may include government-issued identification numbers, so take these steps to lock down your accounts, spot fake cruise messages and reduce the chances that scammers can use your personal details against you.
Carnival says it is offering eligible U.S. individuals two years of complimentary credit monitoring. If you receive a notice, use the contact details in that notice or Carnival's official breach webpage. Do not trust random links in emails, texts or search ads claiming to help you enroll.
Go directly to the official website or app. Do not click a link from an email or text. Use a strong, unique password for every travel account. A password manager can help you create and store better passwords. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
Two-factor authentication (2FA) adds another layer of protection. Even if someone steals your password, they still need a second approval. Use an authentication app when possible. Text codes help, but they can be weaker if a scammer tries a SIM swap attack.
Be suspicious of messages about refunds, loyalty points, upgrades, cancellations or account verification. Scammers love urgent wording. They want you to click before you think. Instead, go straight to the company's website or app. Check your account there.
A data removal service will not undo the Carnival breach. However, it can help remove your personal information from data broker and people-search sites. That can make it harder for scammers to combine leaked breach data with your home address, phone number, relatives' names or other details found online. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
Breaches often lead to phishing emails with dangerous links or attachments. Strong antivirus protection can help block malicious websites, scam pages and malware before they do damage. Also, keep your phone, tablet and computer updated. Security updates close holes that criminals try to exploit. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com
If someone calls and claims to represent a cruise line, do not give out your date of birth, payment details or login codes. Hang up and call the company using a number from its official website.
10 SIGNS YOUR PERSONAL DATA IS BEING SOLD ONLINE
Check your statements for charges you do not recognize. Small test charges can show up before larger fraud attempts. Report suspicious activity right away. Many banks also let you lock a card from the app while you investigate.
A credit freeze can block criminals from opening new credit accounts in your name. You can freeze your credit for free with Equifax, Experian and TransUnion. You can also lift the freeze when you need to apply for credit.
Check your credit reports for accounts, addresses or inquiries you do not recognize. You can get free weekly credit reports from the three major credit bureaus at AnnualCreditReport.com.
Because Carnival says some impacted data may include driver's license or passport numbers, be extra cautious with messages asking you to "verify" your identity. Do not upload a photo of your ID through a link in an email or text. Go directly to the official company, bank or government website instead.
Identity theft protection can help monitor your personal information, credit files and financial activity for warning signs of fraud. Some plans also include breach or dark web monitoring, which can alert you if your email address or other personal details appear in known leaks. See my tips and best picks on Best Identity Theft Protection at Cyberguy.com
Keep a copy of any notice you receive from Carnival. It may explain what information was involved and what support the company offers. Be careful with fake settlement or claim websites. Scammers often create lookalike pages after major breaches.
The Carnival data breach shows why travel accounts need the same care as banking, shopping and email accounts. A cruise may last a week, but the data you shared can stick around for years. Take a few minutes now to tighten your accounts. Change reused passwords, watch for cruise-themed scams and consider freezing your credit if you want stronger protection.
Have travel companies earned enough trust to keep collecting so much personal data, or should loyalty programs start asking for far less? Let us know by writing to us at Cyberguy.com
Sign up for my FREE CyberGuy Report
Copyright 2026 CyberGuy.com. All rights reserved.
