Carnival Corporation, Carnival Cruise Line, Princess Cruises and Holland America Line: Cruise operator Carnival discloses personal data breach

Carnival Corporation, Carnival Cruise Line, Princess Cruises and Holland America Line: Cruise operator Carnival discloses personal data breach

Carnival Corp. Reports Cybersecurity Incident Involving Employee Account Compromise

Carnival Corporation, the global cruise operator, disclosed a cybersecurity incident on May 27 after detecting unauthorized access to an employee’s account in April. The breach, executed through social engineering tactics, led to the exposure of personal data, including names, addresses, and government-issued identification numbers.

The company acted swiftly to contain the incident, blocking further unauthorized activity and enlisting third-party security experts to investigate. Affected individuals are being notified via email, with U.S. customers offered two years of free credit monitoring through TransUnion, beginning May 27.

In response, Carnival has bolstered its security protocols and monitoring controls, committing to further enhancements in IT and data protection measures. This incident follows a 2021 breach that compromised guest, employee, and crew data across multiple Carnival brands, including Carnival Cruise Line, Holland America Line, and Princess Cruises.

Source: https://www.reuters.com/legal/litigation/cruise-operator-carnival-discloses-personal-data-breach-2026-05-27/

Carnival Corporation cybersecurity rating report: https://www.rankiteo.com/company/carnival-corporation

Princess Cruises cybersecurity rating report: https://www.rankiteo.com/company/princess-cruises

"id": "CARPRI1779920714",
"linkid": "carnival-corporation, princess-cruises",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'U.S. customers (specific number '
                                              'not disclosed)',
                        'industry': 'Cruise Line',
                        'location': 'Global',
                        'name': 'Carnival Corporation',
                        'type': 'Corporation'}],
 'attack_vector': 'Social Engineering',
 'customer_advisories': 'Affected individuals offered two years of free credit '
                        'monitoring through TransUnion',
 'data_breach': {'personally_identifiable_information': 'Names, addresses, '
                                                        'government-issued '
                                                        'identification '
                                                        'numbers',
                 'sensitivity_of_data': 'High (government-issued '
                                        'identification numbers)',
                 'type_of_data_compromised': 'Personal data'},
 'date_detected': '2024-04',
 'date_publicly_disclosed': '2024-05-27',
 'description': 'Carnival Corporation disclosed a cybersecurity incident '
                'involving unauthorized access to an employee’s account '
                'through social engineering tactics, leading to the exposure '
                'of personal data.',
 'impact': {'data_compromised': 'Personal data, including names, addresses, '
                                'and government-issued identification numbers',
            'identity_theft_risk': 'High'},
 'initial_access_broker': {'entry_point': 'Employee account compromise'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Bolstered security '
                                                  'protocols and monitoring '
                                                  'controls',
                            'root_causes': 'Social engineering attack leading '
                                           'to employee account compromise'},
 'recommendations': 'Further enhancements in IT and data protection measures',
 'references': [{'date_accessed': '2024-05-27',
                 'source': 'Carnival Corporation Disclosure'}],
 'response': {'communication_strategy': 'Affected individuals notified via '
                                        'email',
              'containment_measures': 'Blocked further unauthorized activity',
              'enhanced_monitoring': 'Yes',
              'incident_response_plan_activated': 'Yes',
              'remediation_measures': 'Enhanced security protocols and '
                                      'monitoring controls',
              'third_party_assistance': 'Yes (third-party security experts)'},
 'title': 'Carnival Corp. Employee Account Compromise',
 'type': 'Data Breach'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.