The cruise operator said the cyber attack gained unauthorized access that also included the download of certain data files.
“Promptly upon its detection of the security event, the company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals", the FTSE 250-listed firm said in a statement.
“While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems” it added.
Carnival said that while it does not believe the incident will have a material impact on its business, operations or financial results, it faces potential claims from guests, employees, shareholders, or regulatory agencies for the breach.
The company added that while it does not believe other areas of the business have been affected, there is no assurance on that front.
The attack could not come at a worse time for Carnival which is already reeling from the impact of coronavirus restrictions on its business.
Losses soared to US$4.4bn in the three months to end May 2020 and the company has still not been able to resume its activities due to pandemic quarantine restrictions in numerous countries.
Recently introduced EU data protection means the company can be fined up to 4% of global revenues if it is found to have been negligent.