Overview
- Carnival disclosed in a Maine Attorney General filing that 5,995,277 people had personal information accessed after the company detected unauthorized activity in April.
- The company says an attacker used social engineering to deceive a single user account, it blocked the access, engaged outside security teams, alerted law enforcement, and began a file‑by‑file investigation.
- So far Carnival has determined names, emails, phone numbers, dates of birth and passport or driver’s license numbers were among the exposed data, which raises identity‑theft risk.
- Outside researchers and the extortion group ShinyHunters have claimed a larger published dataset, with media estimates ranging higher than Carnival’s count, a discrepancy the company has not confirmed.
- Carnival is notifying impacted people, offering U.S. customers two years of TransUnion credit monitoring, and customers are urged to check accounts and credit reports as investigators continue their review.