MIAMI, May 27, 2026 /PRNewswire/ — Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident.

This notice is intended to provide the same information included in the notification letters to individuals for whom the company has insufficient or out-of-date contact information. The company also launched a webpage to report the incident publicly on May 27, 2026.

What happened

On April 14, 2026, the company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system. The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation the company determined the bad actor illegally accessed certain personal information.

What Personal Information was involved

The company has been conducting a thorough and time-consuming analysis of the impacted data to determine what personal information it contained and to whom that information belongs. While this analysis is ongoing and the affected data varies by individual, to date, the impacted data is known to include the following personal information: name, address, email address, phone number, date of birth, and government-issued identification number (e.g., driver’s license number and passport number).

What the company is doing

The company is notifying individuals whose personal information was affected via email, as required and where available. The company is offering individuals in the U.S. two years of complimentary credit monitoring through its preferred third-party vendor, TransUnion. The notices provide the nature of the information involved and contact details for the dedicated TransUnion call center established to assist with enrollment for eligible individuals and to address any inquiries related to the incident. Individual notifications were issued starting May 27, 2026.

In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape.

What you can do

Together with enrolling in the credit monitoring services being offered to eligible individuals whose data was impacted at no charge, the company encourages ongoing data security precautions:

• Remain vigilant against threats of identity theft or fraud and regularly review and monitor account statements and credit histories for any signs of unauthorized transactions or activity.
• Individuals who suspect they are the victim of identity theft or fraud should contact their local police.

For more information

The company has established a dedicated call center to answer questions about the cybersecurity event as well as the TransUnion services that the company is offering to you. If you have any questions, please call the TransUnion call center at 1-844-593-8310, from 8 a.m. to 8 p.m. ET Monday through Friday, excluding major U.S. holidays.

Additional information for US residents

U.S. customers are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit www.annualcreditreport.com or call toll-free +1 (877) 322-8228.

You may contact the U.S. Federal Trade Commission (FTC) for information on fraud alerts, security freezes, and how to protect yourself from identity theft. The FTC can be contacted at 400 7th St. SW, Washington, DC 20024; telephone +1 (877) 382-4357 or www.consumer.gov/idtheft.

Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your state Attorney General, or the FTC.

California residents: Visit the California Office of Privacy Protection (https://oag.ca.gov/privacy) for additional information on protection against identity theft.

District of Columbia residents: The District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, DC 20001; +1 (202) 727-3400, oag@dc.gov and www.oag.dc.gov.

Iowa residents: The Attorney General can be contacted at the Office of Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines, Iowa 50319; +1 (515) 281-5164, www.iowaattorneygeneral.gov. 

Kentucky residents: The Attorney General can be contacted at Office of the Attorney General of Kentucky, 700 Capitol Avenue, Suite 118 Frankfort, Kentucky 40601, www.ag.ky.gov, Telephone: +1 (502) 696-5300.

Maryland residents: The Attorney General can be contacted at Office of Attorney General, 200 St. Paul Place, Baltimore, Maryland 21202; +1 (888) 743-0023 or www.marylandattorneygeneral.gov. 

Massachusetts residents: Under Massachusetts law, you have the right to obtain any police report filed in connection with the cybersecurity event. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

North Carolina residents: The Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; +1 (919) 716-6400 or www.ncdoj.gov. 

New Mexico residents: You have rights under the federal Fair Credit Reporting Act (FCRA), which governs the collection and use of information pertaining to you by consumer reporting agencies. For more information about your rights under the FCRA, please visit https://www.ftc.gov/system/files/ftc_gov/pdf/fcra-march-2026.pdf or www.ftc.gov. 

New York residents: The Attorney General can be contacted at the Office of the Attorney General, The Capitol, Albany, NY 12224-0341; +1 (800)-771-7755 or www.ag.ny.gov. 

Oregon residents: The Attorney General can be contacted at Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096; +1 (877) 877-9392 (toll-free in Oregon), +1 (503) 378-4400, or www.doj.state.or.us. 

Rhode Island residents: The Attorney General can be contacted at 150 South Main Street, Providence, Rhode Island 02903; +1 (401) 274-4400 or www.riag.ri.gov. You may also file a police report by contacting local or state law enforcement agencies.

For Arizona, California, Iowa, Montana, Washington and West Virginia residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit bureaus directly to obtain such additional report(s).

View original content:https://www.prnewswire.com/news-releases/carnival-corporation-notice-of-data-breach-302783524.html

SOURCE Carnival Corporation Ltd.