Carnival Corporation data breach affects 5.9 million customers

SOPA Images / Getty Images

Carnival Corporation $CCL +0.43% began notifying nearly 6 million people on Wednesday that a social engineering attack in April exposed their personal information, including names, addresses, and government-issued identification numbers.

According to breach notification letters sent to customers, unauthorized activity involving an employee account was flagged by the company's IT security team on April 14, after an attacker manipulated the employee through social engineering to obtain access to part of its infrastructure. The breach itself occurred on April 10, according to a filing Carnival submitted to Maine's attorney general. The company determined on April 22 that personal information had been copied, according to BleepingComputer.

In total, 5,995,277 individuals were affected, including 9,746 Maine residents, according to the Maine attorney general filing. The compromised data varies by individual but includes names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as driver's license and passport numbers, the company said.

Customers whose data was exposed are being contacted via email, and those based in the U.S. are eligible for two years of free credit monitoring provided through TransUnion, Carnival said. The company has also set up a dedicated call center to handle inquiries.