Carnival Corporation
The world's largest cruise company experienced another breach—guest passports, payment data, and travel records exposed.
What happened?
Carnival Corporation, which operates Carnival Cruise Line, Princess Cruises, Holland America, and other major cruise brands, disclosed another data breach affecting guest information. This isn't Carnival's first breach—they've experienced multiple security incidents in recent years, yet guest data continues to be exposed.
What data was actually inside?
Cruise bookings require extensive personal data: passports for international travel, payment cards for onboard spending, emergency contacts, dietary restrictions, medical conditions, and travel companions. Carnival collects all of this—and more—for millions of guests annually.
Post-pandemic health screening data adds another layer: vaccination records, COVID test results, and health attestations that were never meant to be permanent data collection.
Who gets hurt and how?
Cruise guests who booked a vacation and ended up with their passport data stolen. Passport information is particularly dangerous—it's a primary identity document that's difficult and expensive to replace. Combined with travel dates, it tells attackers when victims are away from home.
Payment card data enables immediate fraud. Travel patterns enable targeted attacks. Health data enables discrimination and blackmail.
What did they think they were doing right?
Carnival is a publicly traded company with a global IT infrastructure. They operate across multiple countries, handle international data transfers, and must comply with GDPR, CCPA, and various maritime regulations. They have security programs. They have incident response plans. They've used them before.
The repeated breaches suggest that whatever they think they're doing right isn't working.
What did they not know about their own data?
Carnival didn't know how sprawling their data footprint had become. Guest data flows between booking systems, ship systems, port systems, loyalty programs, marketing databases, and vendor integrations. Each touchpoint is a potential vulnerability. Each integration is a data sharing relationship that extends the attack surface.
When you operate a floating city, data is everywhere—and apparently, so are the vulnerabilities.
What does attribution look like the morning after?
More notification letters. More credit monitoring offers. More regulatory scrutiny—this time with a history of prior incidents to reference. The FTC, state AGs, and international regulators can point to a pattern. Previous settlements and enforcement actions create a baseline for escalating consequences.
For repeat offenders, each breach compounds reputational damage. Guests start to wonder if any cruise company can protect their data.
What would have changed the outcome?
Actually knowing where all guest data lives—and keeping that inventory current.
If Carnival had continuous visibility into passport data, payment data, and health records across their entire infrastructure—shore-side and ship-side—they could have detected anomalous access and contained breaches faster. After multiple incidents, they should know their data landscape. Apparently, they still don't.
Don't Learn What You Have From an Attacker
Carnival keeps learning about their data exposure from attackers. Risk Finder shows you first.
Start Your Risk Assessment