In a statement released overnight (27 May 2026), the company announced that it suffered a cyber attack on 14 April 2026, which saw an employee’s account breached through social engineering.
The incident led to the threat actor accessing a “limited portion of the company’s IT system”, according to the statement; however, the area that was accessed was not disclosed.
“The company acted swiftly to block the unauthorised activity and immediately began working with third-party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation, the company determined the bad actor illegally accessed certain personal information,” the statement said.
According to Carnival, an investigation was launched to determine what data was impacted. While the data varied from person to person, it included names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers as found on passports and driver’s licenses.
Carnival said it has already sent notifications to those whose data it determined were impacted by the incident, and published a public statement for those with out-of-date or insufficient contact information.
The cruise ship operator also said it has bolstered its security measures and offered impacted individuals credit monitoring.
“In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape,” Carnival said.
Carnival did not disclose how many individuals were impacted, nor did it reveal the nature of the incident or the threat actor claiming responsibility.
Cyber Daily has yet to observe threat actors claiming to be behind the incident.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
