Carnival Corporation Data Breach Exposes Millions of Guest Records, Company Announces Federal Investigation
MIAMI, FL — Carnival Corporation & plc has confirmed a significant data breach compromising personal information of millions of guests and crew members, prompting an ongoing federal investigation.
WHAT: A sophisticated cyberattack exposed sensitive data, including names, addresses, phone numbers, passport numbers, and in some cases, financial information such as credit card numbers and expiration dates. The company stated that the breach was detected on March 19, 2025, during a routine security audit.
WHO: The incident affects an estimated 8.3 million individuals, including passengers from the Carnival Cruise Line, Princess Cruises, and Holland America Line brands. Carnival Corporation & plc, the world's largest cruise operator, is the entity responsible for the breach.
WHEN: The unauthorized access occurred between February 15 and March 19, 2025. The company notified affected customers via email and posted a security notice on its official website on March 25, 2025.
WHERE: The breach is believed to have originated from a third-party vendor's system used for onboard services, based in Fort Lauderdale, Florida. Federal law enforcement, including the Federal Bureau of Investigation, have launched a probe into the attack's origin, with potential links to a known ransomware group operating in Eastern Europe.
WHY: Preliminary findings suggest that vulnerabilities in the vendor's cloud-based reservation platform were exploited. Carnival Corporation has not confirmed a ransom demand, but cybersecurity experts note that the attack appears financially motivated, with the stolen data already detected for sale on dark web forums.
Carnival Corporation has stated that it is offering complimentary credit monitoring and identity theft protection services to all affected guests. The company urges consumers to remain vigilant and report any suspicious activity to their financial institutions.