Carnival Corporation Data Breach Impacts Thousands of Cruise Customers, Cybersecurity Experts Warn of Identity Theft Risk
MIAMI, FL — April 3, 2025 (10:00 AM ET) — A significant cybersecurity incident has compromised the personal information of thousands of cruise passengers after a third-party vendor suffered a data breach, prompting a formal investigation by federal authorities and a class-action lawsuit against Carnival Corporation.
According to an official statement released Tuesday, the incident occurred through a compromised third-party marketing email tracking tool, affecting data from several of the cruise giant’s North American, Australian, and European brands. Affected lines include Carnival Cruise Line, Princess Cruises, Holland America Line, and Seabourn.
The compromised data includes names, email addresses, phone numbers, physical addresses, and booking details, including dates of travel. In some cases, loyalty program numbers and passport numbers were also exposed. No financial payment data or social security numbers are believed to have been compromised.
The timeline of events indicates the breach was detected on October 3, 2024. Carnival says it immediately disabled the compromised tool and engaged external cybersecurity experts to contain the threat. Notifications to affected customers, which total over 1.9 million individuals, began on February 15, 2025.
The Federal Bureau of Investigation has been notified of the incident, while the attorney general offices of multiple states, including Florida and California, have opened inquiries into the company’s data handling practices. On March 11, 2025, a class-action lawsuit was filed in the Southern District of Florida, alleging negligence and violation of data privacy laws.
Cybersecurity experts emphasize the risk to affected individuals. Dr. Sarah Jenkins, a data privacy analyst at CyberSecure Labs, explained the primary concern. "While the immediate threat is not financial, the exposure of passport and loyalty numbers creates a significant risk for identity theft and accommodation fraud. Affected consumers should closely monitor their credit reports and change passwords for other accounts using similar