If you’ve sailed on any Carnival Corporation brand in the past several years, you need to read this. The company has officially confirmed a data breach affecting nearly 6 million people and the stolen data goes well beyond a leaked email address.
What Happened
On April 14, 2026, Carnival Corporation’s IT security team detected unauthorized activity tied to an employee account. A hacker used social engineering to deceive the employee into handing over access to a portion of the company’s IT systems. Carnival moved quickly to shut down the intrusion, but by April 22 investigators confirmed that personal data had already been copied and exfiltrated before access was blocked.
The hacking group ShinyHunters has claimed responsibility.
Which Brands Are Affected
This is a Carnival Corporation breach, meaning it potentially affects guests across all nine of the company’s cruise line brands:
- Carnival Cruise Line
- Holland America Line
- Princess Cruises
- Cunard
- Seabourn
- Costa
- AIDA
- P&O Cruises
- P&O Australia
If you’ve sailed on any of these lines – or were an employee – your data may be in this pool.
What Was Stolen
According to Carnival Corporation’s own official notice published May 27, 2026, the impacted data is confirmed to include:
- Full name
- Home address
- Email address
- Phone number
- Date of birth
- Government-issued identification numbers – specifically driver’s license numbers and passport numbers
Carnival notes that the affected data varies by individual, and their analysis of the full dataset is still ongoing. But passport and driver’s license numbers are confirmed as part of what was taken.
This is serious. You can’t cancel a passport number the way you cancel a credit card. That information can be used for identity fraud and targeted phishing attacks for years. Take this seriously.
The Phishing Wave Is Coming – Know What to Avoid
Here’s the thing about a breach involving loyalty programs: the criminals who buy or receive this data already know you’re a cruiser. They know your name, your contact info, and likely your approximate loyalty status based on your sailing history.
Expect to see phishing emails in the coming months that look like they’re from Carnival, Holland America, Princess Cruises, or other CCL brands. The most convincing scam you’re likely to see is a “loyalty tier verification” email – something along the lines of:
“Action required: Verify your Mariner Society status to retain your loyalty benefits.”
Or:
“Your VIFP account requires re-verification following a recent security update.”
These emails will look real. They’ll have the right logos, the right colors, and they’ll address you by name. Do not click links in any email like this. Go directly to the cruise line’s website by typing the URL yourself.
Secure Your Accounts Now – Before Someone Else Does
Don’t wait to receive a breach notification letter. Act now. This applies to every Carnival Corporation brand, so go directly to whichever cruise line websites you have accounts with and do the following:
- Type the URL directly into your browser. Do not use any link from an email.
- Change your password to something unique that you don’t use anywhere else.
- Review your profile to make sure your email address, phone number, and mailing address haven’t been altered.
- Enable two-factor authentication if the site offers it.
- Check your loyalty points balance and tier status to make sure nothing looks off.
If you use the same password across multiple travel accounts like airlines, hotels, other cruise lines, change those too. Credential stuffing attacks, where hackers take leaked data and try the same login credentials on other sites, are a standard follow-up to breaches like this.
How to Claim the Free TransUnion Credit Monitoring
Carnival is offering two years of free credit monitoring through TransUnion to affected U.S. residents. Here’s what you need to know:
- Carnival began sending email notifications on May 27, 2026. Check your inbox, including spam, for a message from Carnival Corporation.
- The notification will include enrollment details for the TransUnion credit monitoring offer.
- Enrollment deadline: August 31, 2026. Don’t sit on this.
- If you have questions or need help enrolling, Carnival has set up a dedicated TransUnion call center: 1-844-593-8310, available Monday–Friday, 8am–8pm ET (excluding major holidays).
Don’t trust any unsolicited email or phone call claiming to help you enroll – go through the official process only.
While You’re at It: Freeze Your Credit
You don’t need to wait for a notification letter to take the strongest protective step available. A credit freeze is free, takes minutes, and prevents anyone from opening new credit in your name. You’ll need to do it at all three bureaus separately:
- Equifax: equifax.com or 1-888-766-0008
- Experian: experian.com or 1-888-397-3742
- TransUnion: transunion.com or 1-800-680-7289
A freeze doesn’t affect your existing accounts or credit score – it just prevents new accounts from being opened until you lift it.
The inconvenience of updating a few passwords is nothing compared to dealing with identity fraud. Get it done.