Carnival Cruise Line disclosed a data breach in April 2025 that compromised the personal information of nearly 6 million passengers. The breach, caused by a social engineering attack targeting an employee, exposed names, addresses, and passport numbers. This marks the latest in a string of cybersecurity failures at the company dating back to 2019, raising renewed concerns about its data protection practiecs.

Nearly 6 million passengers' data — and counting

According to a mandatory filing with the Maine Attorney General’s Office, the breach potentially affected 5,995,277 individuals. The stolen data includes full names, home addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as driver’s licenses and passport details. Carnival has started notifying affected passengers and is offering two years of free credit monitoring and identity protection through TransUnion.

The scale of this breach is enormous, but it is not an isolated event. As the source report notes, Carnival has a documented history of cybersecurity struggles, with multiple incidents over the past several years exposing sensitive customer and employee data.

A social engineering attack that followed ransomware and phishing

The April 2025 breach was the result of a sophisticated social engineering attack that targeted an employee, allowing unauthorized access to a limited portion of Carnival’s IT systems. The company’s security team discovered the intrusion on April 14 and initiated containment protocols. This tactic — relying on psychological manipulation rather than direct technical exploit — has been used in previous incidents targeting the cruise giant.

In March 2020, Carnival revealed a breach that originally occurred in May 2019, affecting systems across multiple brands. That incident was followed by a ransomware attack on August 15, 2020, which encrypted files and exfiltrated data. the 2020 attack forced a Securities and Exchange Commission filing after threat actors accessed parts of Carnival’s IT environment, stealing passenger details and employee Social Security numbers.

What the Maine filing revealed and why it matters to regulators

The disclosure to Maine’s Attorney General provided the first concrete figure for the 2025 breach’s scope: 5,995,277 individuals. this filing is a required step under state data breach notification laws, but it also invites scrutiny from regulators worldwide.. Under frameworks like the GDPR, Carnival could face substantial fines for failing to protect European passengers’ data. the repeated nature of these breaches may lead to more aggressive enforcement actions, including mandatory security audits or penalties for delayed disclosure — a pattern the source notes was visible in the 2020 breach announcement.

The 2026 mega-breach that exposed Carnival’s unbroken pattern

Perhaps most troubling is what came after the 2025 incident: in 2026, Carnival suffered what the source describes as “one of the largest data breaches in its operational history.” That event suggests that the company’s post-2023 remediation efforts were insufficient and that systemic security weaknesses remain.. Security analysts, as reported in the source, point to potentially inadequate employee training, insufficient network segmentation, and a lack of robust multi-layered defense architectures as contributing factors.

For a global travel company processing millions of sensitive records,the recurrence of breaches — from 2019 to 2020 to 2025 and 2026 — underscores a failure to learn from past incidents. affected passengers now face long-term risks of identity theft and fraud, and the standard two-year credit monitoring offer may not cover the years of potential exploitation.

Open questions remain: Was the April 2025 social engineering attack part of a larger campaign? Have other brands within Carnival Corporation been compromised? And will Carnival finally submit to a third-party security audit to break this cycle?