Carnival Cruise confirms data breach affecting nearly 6 million people
Carnival Corporation confirmed a data breach affecting nearly 6 million people, claimed by the ShinyHunters extortion gang after a social engineering attack in April 2026.
Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million individuals that was claimed by the ShinyHunters extortion gang in April 2026. The company began notifying affected customers on Wednesday after discovering unauthorized access to its IT systems through a social engineering attack on an employee.
The breach was first detected on April 14, 2026, when Carnival's IT security team identified suspicious activity involving an employee account. The unauthorized actor used social engineering tactics to deceive an employee into granting access to a limited portion of the company's systems. Carnival immediately blocked the unauthorized activity and launched an investigation with third-party security experts. By April 22, the company determined that the attacker had successfully copied personal information.
While Carnival has not officially attributed the attack, the ShinyHunters cybercrime group claimed responsibility in April, stating they had stolen documents containing over 8.7 million records with personally identifiable information and terabytes of internal corporate data. Have I Been Pwned analyzed the leaked data and confirmed that the breach exposed names, dates of birth, email addresses, genders, geographic locations, and loyalty program details related to Holland America's Mariner Society loyalty program.
The cruise line giant operates over 90 ships and nine major brands, including Carnival Cruise Line, Princess Cruises, Holland America Line, and Cunard, serving approximately 13.5 million guests in 2024 with revenues exceeding $26 billion. With over 160,000 employees, the scale of the breach highlights the vulnerability of large hospitality organizations to targeted extortion attacks.
ShinyHunters has been increasingly active over the past year, targeting Salesforce customers and breaching hundreds of companies worldwide. The group's campaigns, including the Salesloft Drift campaign and Salesforce Aura data theft attacks, have claimed billions of records stolen. The FBI recently advised ShinyHunters' victims not to pay ransom demands, warning that payment does not guarantee attackers won't re-extort victims or sell stolen data.
Carnival has a history of security incidents, including data breaches disclosed in March 2020 and June 2021 that exposed personal and financial information after threat actors accessed employee email accounts. Ransomware gangs also breached the company's systems in August 2020 and December 2020, stealing customer and employee data. The company is now working with law enforcement and notifying affected individuals, but the incident underscores the persistent threat posed by extortion groups targeting large enterprises with sensitive customer data.
Carnival's filing with the Maine attorney general's office now pegs the number of affected individuals at just under six million, lower than the 8.7 million records previously listed by Have I Been Pwned. The company confirmed that stolen data includes names, addresses, email addresses, phone numbers, dates of birth, and state identification numbers, and has begun notifying victims with offers of two years of free credit monitoring via TransUnion. ShinyHunters claimed on its leak site that negotiations broke down, stating, "They don't care."
The Malwarebytes report adds detail that the attacker used social engineering to trick a Carnival employee on April 14, 2026, then leveraged a compromised account on April 22 to copy personal data from a limited portion of IT systems. The notice filed in Maine confirms 5,995,277 people were affected, and the data exposed may include names, email addresses, dates of birth, genders, Mariner Society membership status, and internal customer identifiers—but not payment or passport numbers. Carnival is offering a 24-month TransUnion credit-monitoring package via MyTrueIdentity, though the letter template uses a ``<<data elements>>`` placeholder, suggesting each victim receives a customised list of exposed fields. Source
Carnival began issuing formal breach notification letters on May 27, 2026, nearly six weeks after the incident was confirmed, alerting an estimated 6 million affected individuals across the United States. The company is offering a complimentary 24-month credit monitoring membership through TransUnion's MyTrueIdentity platform, powered by Cyberscout, with enrollment required by August 31, 2026. Carnival stated it conducted a "thorough and time-consuming" file analysis to determine which data elements belonged to each affected individual before sending personalized notifications.