Bottom line: Carnival Corporation has begun notifying people affected by an April 2026 cybersecurity incident, and more than 800,000 Texans may be included according to reporting that cites the Texas Attorney General’s Office. If you recently received a Carnival, Princess, Holland America, or related cruise-brand breach notice, do not ignore it. The information involved can be useful for identity theft, targeted phishing, fake travel refunds, and account takeover attempts.
Carnival’s public notice says the company identified unauthorized activity involving an employee account on April 14, 2026. Carnival says an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of the company’s IT system. On April 22, 2026, Carnival first determined that personal information had been copied, and notification emails began around May 27, 2026.
Quick Protection Checklist
- Read the Carnival notice carefully. It should explain what data elements were involved for you and whether you are eligible for complimentary TransUnion credit monitoring.
- Enroll in the offered credit monitoring if you are eligible. Carnival says U.S. affected individuals are being offered two years of complimentary credit monitoring through TransUnion.
- Freeze your credit at all three bureaus. A credit freeze is free and can stop criminals from opening new credit accounts in your name.
- Watch for cruise-themed phishing. Treat unexpected “refund,” “upgrade,” “lawsuit,” “travel credit,” “passport verification,” or “claim your compensation” messages with suspicion.
- Monitor credit reports and financial accounts. Use AnnualCreditReport.com, bank alerts, and card alerts.
- Report real identity theft immediately. Use IdentityTheft.gov, local police, and the Texas Attorney General’s identity theft resources.
What Information Was Involved?
Carnival’s substitute notice says the affected data varies by person and the company’s analysis is ongoing. As of the notice, the information known to be involved includes name, address, email address, phone number, date of birth, and government-issued identification number, such as a driver’s license number or passport number.
That mix matters. A stolen email address alone is bad enough for phishing. A name, date of birth, address, phone number, and government ID number is more serious because it can help criminals impersonate someone, pass weak account verification questions, attempt fraudulent applications, or make scams look more believable.
How Many People Were Affected?
The Houston Chronicle reported that Carnival’s breach included personal information of more than 800,000 Texans, citing the Texas Attorney General’s Office. The same report notes that the Maine Attorney General’s Office estimate listed 5,995,277 people affected overall.
For Texas residents, the local impact is easy to understand: Carnival has a major presence in Galveston cruise travel, and many Texas families have used Carnival-owned brands over the years. If you booked, cruised, joined a loyalty program, requested information, or handled travel through a Carnival-owned brand, watch for official notification.
Who To Contact If You Think You Were Affected
Carnival / TransUnion incident call center: Carnival says it established a dedicated TransUnion call center for questions about the incident and the offered TransUnion services. The number in Carnival’s notice is 1-844-593-8310, available 8 a.m. to 8 p.m. Eastern, Monday through Friday, excluding major U.S. holidays.
- If you received a Carnival notice: use the instructions in that notice first. Be careful to type official links manually or use Carnival’s official website instead of clicking links from random forwarded emails.
- If you see fraudulent accounts or identity theft: file a report at IdentityTheft.gov and save the recovery plan.
- If money was stolen or a fake account was opened: contact your local police and ask how to obtain a police report.
- If you are in Texas: review the Texas Attorney General’s Identity Theft resources and consumer complaint options.
- If your passport number may have been involved: watch for suspicious travel or identity activity and review U.S. State Department guidance before responding to anyone claiming they can “fix” passport exposure for a fee.
Freeze Your Credit: The Strongest First Step
The Federal Trade Commission says credit freezes and fraud alerts can help protect against identity theft by making it harder for scammers to open new credit accounts in your name. A credit freeze is free, does not hurt your credit score, and lasts until you lift it.
If you are not actively applying for a loan, mortgage, apartment, credit card, or new utility account, freezing your credit is usually the most practical protection. You must freeze each bureau separately:
A freeze does not stop every type of fraud. It does not stop someone from using an existing credit card number, taking over an existing account, or sending phishing emails. It mainly helps block new-credit fraud.
Fraud Alert vs. Credit Freeze
A fraud alert tells lenders to take extra steps to verify your identity before opening new credit. The FTC says an initial fraud alert lasts one year and is free. You only need to contact one of the three major bureaus to place an initial fraud alert; that bureau must tell the other two.
A credit freeze is stronger for most people because it blocks access to your credit file for new credit checks unless you temporarily lift the freeze. For many breach victims, the best setup is a freeze at all three bureaus plus monitoring for account activity.
Watch For These Scams After The Carnival Breach
- Fake Carnival refund emails: criminals may promise compensation, onboard credit, or a refund if you “verify” your identity.
- Fake credit-monitoring enrollment pages: use the official notice and official Carnival/TransUnion instructions, not a random search ad.
- Travel document scams: if passport or driver’s license information was involved, scammers may pretend to help “secure” or “replace” documents for a fee.
- Phone calls using real breach details: a scammer may know your name, phone number, travel brand, or old address. That does not make the call legitimate.
- Class-action and settlement bait: do not pay a fee or provide sensitive information to join a “data breach settlement” from an unknown text or ad.
What To Do This Week
- Find the official notice. Search your email for Carnival, Princess, Holland America, Seabourn, Cunard, Costa, AIDA, or other Carnival Corporation brands you have used.
- Use the official call center if you have questions. Carnival lists 1-844-593-8310 for the TransUnion call center tied to this incident.
- Freeze your credit at Equifax, Experian, and TransUnion. Save the login information and PIN/recovery details somewhere safe.
- Pull your credit reports. Use AnnualCreditReport.com and review unfamiliar accounts, addresses, employers, or inquiries.
- Turn on bank and card alerts. Low-dollar test charges can come before larger fraud attempts.
- Change reused passwords. The notice does not say passwords were involved, but breach-related phishing often tries to capture travel, email, banking, and loyalty-account logins.
- Protect your email account. Turn on MFA, remove unknown forwarding rules, and check recent sign-ins. Your email is often the recovery key for everything else.
- Keep records. Save the notice, dates, credit freeze confirmations, police report number if any, and FTC recovery plan.
Small Business Reminder: Employee Travel Data Is Still Business Risk
This breach is mostly being discussed as a consumer issue, but small businesses should pay attention too. Employees often book work travel with personal email, reuse phone numbers and addresses, and store travel confirmations in the same inbox they use for work. A convincing travel-themed phishing message can become a Microsoft 365, Google Workspace, payroll, or banking problem if an employee is tricked into signing in.
Business owners should remind staff not to click unexpected breach, refund, or travel-credit links; require MFA on email; and keep a simple process for reporting suspicious messages. A breach at another company can still become your problem if scammers use the exposed details to target your team.
Good News And Bad News
- Good news: Carnival says it stopped the unauthorized activity and is not aware of unauthorized activity since the attack was stopped on April 14.
- Good news: U.S. affected individuals are being offered two years of complimentary TransUnion credit monitoring.
- Bad news: the known affected data includes government-issued identification numbers for some people, which raises the seriousness of the incident.
- Bad news: the data varies by individual, so every person needs to read their own notice instead of assuming someone else’s affected fields match theirs.
- Bad news: breach-themed phishing often increases after public notices because scammers know people are expecting messages.
When To Call The IT Guys
Call The IT Guys if you need help freezing credit, checking whether a message is real, cleaning up email security, reviewing suspicious account activity, or helping employees understand what to do after a breach. We can also help small businesses build a practical response checklist for employee data-breach notices so people do not wait until fraud appears.
The most important advice is simple: if you think you were affected, act now. Freeze credit, enroll in legitimate monitoring if offered, watch accounts, and report real identity theft quickly.
FAQ
Was payment card data involved?
Carnival’s public notice lists name, address, email address, phone number, date of birth, and government-issued identification number as known affected categories to date. The notice says the affected data varies by person and the analysis is ongoing, so affected individuals should read their own notice carefully.
Should I freeze my credit even if I have credit monitoring?
Usually, yes. Credit monitoring can alert you after activity appears. A credit freeze can help prevent new credit from being opened in the first place. They solve different problems.
What if I did not receive a notice?
Carnival says it began email notifications around May 27 where required and where contact information was available. If you believe you may be affected, use Carnival’s official notice and call center information rather than a random link from social media or search ads.
Where should Texans report identity theft?
Start with IdentityTheft.gov, contact local police if a crime occurred, and use the Texas Attorney General’s identity theft and consumer complaint resources for state-level guidance.