Carnival Corporation has told the Vermont Attorney General’s Office that 3,915 Vermont residents had their government-issued identification numbers exposed in a data breach this spring — part of an incident the company says affected nearly six million people nationwide (5,995,277, by Carnival’s own count).

The figure appears in the state’s public security-breach registry, reported on May 28; the Carnival entry sits among the reports listed there, which begin April 17, 2026. The registry notes that resident counts can rise as a company finishes its analysis, so 3,915 is a floor, not a final number. For a small state, 3,915 affected residents is a substantial local footprint.

What happened. By Carnival’s own account, its security team identified unauthorized activity in an employee’s account on April 14. The company says an unauthorized actor used “social engineering” — deceiving a person into granting access rather than breaking through a system — to reach a limited portion of its network. The exposed information, according to Carnival, includes names, addresses, email addresses, phone numbers, dates of birth, and government-issued ID numbers, specifically driver’s license and passport numbers. Carnival’s May 27 public notice does not list Social Security numbers among the categories known to be involved to date.

What’s been reported beyond that. The extortion group ShinyHunters claimed responsibility for the attack, and security researchers have reported that the stolen data was published online after Carnival declined to pay a ransom. The breach-notification service Have I Been Pwned catalogued roughly 7.5 million email addresses in the leaked data, tied to the Mariner Society, a Holland America Line loyalty program, and ShinyHunters claimed more than 8.7 million records. Those higher figures are counts of raw leaked records, which can include duplicates, and are not the same as Carnival’s nearly 6 million — the number of individuals the company says it is legally notifying. Carnival has not publicly confirmed who was behind the breach, and Compass Vermont could not independently verify the attribution or the contents of any leaked file.

There has also been discussion circulating online that passport numbers are among the data sitting in a publicly dumped file. Compass could not confirm that claim. We are noting it because it matters to the Vermonters in this count — and if you have direct knowledge of what is in that file, or you received a Carnival notice and can share it, we want to hear from you.

It isn’t the first time. This is not Carnival’s first significant breach, and not the first to begin with employee accounts. A 2019 breach exposed the personal information of about 180,000 Carnival employees and customers nationwide and led, in 2022, to a $1.25 million multistate settlement with 46 attorneys general, including Vermont. As part of that agreement, Carnival agreed to strengthen its email-security and breach-response practices, including employee security training with phishing exercises and multi-factor authentication for remote email access. Now, in a separate 2026 incident, Carnival says an unauthorized actor used social engineering to deceive an employee and gain access to part of its IT system.

That history is what makes the Vermont filing notable beyond the count. Vermont was among the states that secured those 2022 reforms from Carnival. Four years later, 3,915 Vermonters are listed in the registry over an incident the company again traces to a deceived employee.

What affected Vermonters can do

Carnival began notifying people by email on May 27. The public notice it posted is a substitute notice — meant for people the company couldn’t reach directly. So if you’ve sailed with Carnival or one of its brands and haven’t received a letter, don’t assume you’re in the clear.

• Carnival is offering eligible U.S. residents two years of free credit monitoring through TransUnion. Questions and enrollment help: the TransUnion call center at 1-844-593-8310.

• Consider a credit freeze with all three bureaus — Equifax, Experian, and TransUnion — requested separately from each. A freeze blocks new credit without a security code.

• You’re entitled to a free annual credit report from each bureau at annualcreditreport.com.

• Because driver’s license and passport numbers are among the exposed categories, watch for misuse of those documents, not just your financial accounts. A passport number can’t simply be reissued like a credit card.

• Watch for phishing emails referencing cruises or loyalty programs — a common follow-on to a breach like this.

Compass Vermont reported this story from public records: the Vermont and Maine Attorney General breach filings, Carnival’s own incident notice, the 2022 multistate settlement, and analysis published by the breach-notification service Have I Been Pwned. Claims about the identity of the attacker and the public release of stolen data are attributed to security researchers and the group itself; Carnival has not confirmed them, and neither has Compass.

One mission. Zero conflicts. All Vermont.