Carnival Corporation has begun notifying individuals whose personal data was affected by the cybersecurity incident, with the cruise ship giant noting that “an unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system.”
A spokesperson said “Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident.
“This notice is intended to provide the same information included in the notification letters to individuals for whom the company has insufficient or out-of-date contact information. The company also launched a webpage to report the incident publicly on May 27, 2026.
“On April 14, 2026, the company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system. The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation the company determined the bad actor illegally accessed certain personal information.
“The company has been conducting a thorough and time-consuming analysis of the impacted data to determine what personal information it contained and to whom that information belongs. While this analysis is ongoing and the affected data varies by individual, to date, the impacted data is known to include the following personal information: name, address, email address, phone number, date of birth, and government-issued identification number (e.g., driver’s license number and passport number).
“The company is notifying individuals whose personal information was affected via email, as required and where available. The company is offering individuals in the U.S. two years of complimentary credit monitoring through its preferred third-party vendor, TransUnion. The notices provide the nature of the information involved and contact details for the dedicated TransUnion call center established to assist with enrollment for eligible individuals and to address any inquiries related to the incident. Individual notifications were issued starting May 27, 2026.
“In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.”
Read More About
Category: All, Business, technology
