Carnival Corporation, the world’s largest cruise company, has notified nearly six million customers that their personal information was exposed in a cyberattack detected in April.

The company said a threat actor gained access to a portion of its information technology systems after deceiving an employee.

“In April, we identified unauthorized access to a limited part of our IT system caused by a social engineering attack on a single user account,” Carnival Corporation said in a statement. “We immediately blocked the activity, engaged third-party security experts and alerted law enforcement.”

According to a data breach notification filed with the Maine Attorney General’s Office, the incident affected 5,995,277 individuals.

The compromised data varies by individual but may include names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, including passport and driver’s license numbers.

The extortion group ShinyHunters claimed responsibility and allegedly published the stolen data on the dark web after Carnival refused to pay the ransom. 

Carnival, which operates a fleet of approximately 90 ships across multiple brands, said it is notifying affected customers and has established a dedicated call center to assist them. Carnival is also offering affected passengers two years of credit monitoring through TransUnion.

Carnival said it has strengthened its security measures and monitoring capabilities following the breach and plans to continue investing in data protection practices.

The company served approximately 13.5 million guests in 2025, according to its annual report. In addition to Carnival Cruise Line, its portfolio includes AIDA Cruises, Costa Cruises, Cunard, Holland America Line, P&O Cruises and Princess Cruises.