MIAMI — Carnival Corporation says it is taking steps to further safeguard its systems, including enhancing its security and monitoring controls, in the wake of a data breach reportedly impacting some six million passenger accounts.

According to a statement from Carnival Corp. on April 14, the company’s IT security team identified unauthorized activity involving an employee’s account. “An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company’s IT system. The company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen its security and to conduct a thorough investigation. As part of this investigation the company determined the bad actor illegally accessed certain personal information,” says the cruise company.

The analysis is ongoing and the affected data varies by individual, however so far the impacted data is known to include passenger names, their address, email address, phone number, date of birth, and government-issued identification numbers (including driver’s license number and passport number).

Data breach notification service Have I Been Pwned says the breached data came from Holland America Line’s Mariner Society past-passenger loyalty program.

Carnival Corp. is send out notification letters via email, “as required and where available”, to individuals whose data was impacted.

Passengers in the U.S. are offered two years of credit monitoring through third-party vendor TransUnion. Carnival Corp. says it will continue to advance its IT security and data privacy controls “to stay ahead of an ever-evolving threat landscape.”

The company is advising ongoing data security precautions for passengers as well, saying past guests should remain vigilant against threats of identity theft or fraud and regularly review and monitor account statements and credit histories for any signs of unauthorized transactions or activity. Individuals who suspect they are the victim of identity theft or fraud should contact their local police.

This isn’t the first data breach for Carnival Corp., according to Reuters. A major breach in 2021 impacted passenger, employee and crew member data from lines including Carnival, Princess and Holland America.