Carnival Corp. Reports Cybersecurity Incident Involving Employee Account Compromise
Carnival Corporation, the global cruise operator, disclosed a cybersecurity incident on May 27 after detecting unauthorized access to an employee’s account in April. The breach, executed through social engineering tactics, led to the exposure of personal data, including names, addresses, and government-issued identification numbers.
The company acted swiftly to contain the incident, blocking further unauthorized activity and enlisting third-party security experts to investigate. Affected individuals are being notified via email, with U.S. customers offered two years of free credit monitoring through TransUnion, beginning May 27.
In response, Carnival has bolstered its security protocols and monitoring controls, committing to further enhancements in IT and data protection measures. This incident follows a 2021 breach that compromised guest, employee, and crew data across multiple Carnival brands, including Carnival Cruise Line, Holland America Line, and Princess Cruises.
Carnival Corporation cybersecurity rating report: https://www.rankiteo.com/company/carnival-corporation
Princess Cruises cybersecurity rating report: https://www.rankiteo.com/company/princess-cruises
"id": "CARPRI1779920714",
"linkid": "carnival-corporation, princess-cruises",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'U.S. customers (specific number '
'not disclosed)',
'industry': 'Cruise Line',
'location': 'Global',
'name': 'Carnival Corporation',
'type': 'Corporation'}],
'attack_vector': 'Social Engineering',
'customer_advisories': 'Affected individuals offered two years of free credit '
'monitoring through TransUnion',
'data_breach': {'personally_identifiable_information': 'Names, addresses, '
'government-issued '
'identification '
'numbers',
'sensitivity_of_data': 'High (government-issued '
'identification numbers)',
'type_of_data_compromised': 'Personal data'},
'date_detected': '2024-04',
'date_publicly_disclosed': '2024-05-27',
'description': 'Carnival Corporation disclosed a cybersecurity incident '
'involving unauthorized access to an employee’s account '
'through social engineering tactics, leading to the exposure '
'of personal data.',
'impact': {'data_compromised': 'Personal data, including names, addresses, '
'and government-issued identification numbers',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Employee account compromise'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Bolstered security '
'protocols and monitoring '
'controls',
'root_causes': 'Social engineering attack leading '
'to employee account compromise'},
'recommendations': 'Further enhancements in IT and data protection measures',
'references': [{'date_accessed': '2024-05-27',
'source': 'Carnival Corporation Disclosure'}],
'response': {'communication_strategy': 'Affected individuals notified via '
'email',
'containment_measures': 'Blocked further unauthorized activity',
'enhanced_monitoring': 'Yes',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Enhanced security protocols and '
'monitoring controls',
'third_party_assistance': 'Yes (third-party security experts)'},
'title': 'Carnival Corp. Employee Account Compromise',
'type': 'Data Breach'}