Carnival Discloses Cybersecurity Event in Maine Filing

Carnival Corporation has been named in a new Maine Attorney General data breach notice reporting a cybersecurity event that affected 5,995,277 people, including 9,746 Maine residents. The filing adds a significant data-security disclosure to the cruise sector’s 2026 watch list, though the public notice does not identify a specific ship, brand, port, itinerary or onboard system involved.

What the Maine filing says

The state notice identifies the entity as Carnival Corporation, with a Miami address. According to the filing, the breach occurred on April 10, 2026, and was discovered on April 14, 2026.

The notice lists electronic consumer notification dated May 27, 2026. It also says consumer reporting agencies were notified, a required field in the Maine form when the number of Maine residents exceeds 1,000.

Key figures in the filing include:

• Total affected persons: 5,995,277
• Maine residents affected: 9,746
• Breach date listed: April 10, 2026
• Discovery date listed: April 14, 2026
• Consumer notification: Electronic, dated May 27, 2026

Why it matters for cruise readers

Carnival Corporation is one of the cruise industry’s largest parent companies, and cybersecurity notices of this scale are closely watched by travelers, travel advisors and industry partners. Cruise businesses depend on digital systems for reservations, loyalty records, payments, shoreside operations and guest communications, making data-security disclosures a material reputational and operational issue even when a filing does not specify which systems were involved.

In this case, the Maine record is narrow. It names Carnival Corporation and provides the affected-person totals, dates and protection services, but it does not publicly connect the event to a particular vessel, cruise brand, destination or terminal operation.

Protection services listed

The filing says identity theft protection services were offered. According to the notice, TransUnion is providing Single Bureau Credit Monitoring, a Single Bureau Credit Report and a Single Bureau Credit Score at no charge for 24 months from enrollment.

The notice also says users will be notified the same day a change or update takes place with the bureau, and that proactive fraud assistance is being provided through TransUnion’s Cyberscout.

What to watch next

The next useful details would be any additional public notices that clarify the data elements involved, whether other state portals publish related filings, and whether Carnival Corporation provides further context beyond the state form.

For now, the most specific public record is the Maine Attorney General data breach notice for Carnival Corporation.