Overview
- Carnival detected unauthorized activity tied to a compromised employee account on April 14 and determined on April 22 that personal information had been copied, then began notifying affected individuals on May 27.
- A regulatory notice filed in Maine reports 5,995,277 people affected, with Texas officials saying more than 800,000 Texans are included and outside reporting suggesting larger unconfirmed totals.
- The company says the copied records include names, contact details, dates of birth and government‑issued ID numbers such as passports and driver’s licenses, which increase the risk of identity theft.
- Carnival says it blocked the intrusion, engaged third‑party cybersecurity firms and law enforcement, and is offering eligible U.S. customers two years of TransUnion credit monitoring as the investigation continues.
- Security experts note the attack used social engineering to trick an employee and warn that such human‑targeted schemes are growing more effective with widely available AI tools that help impersonation.