Carnival Cruise confirms data breach affecting nearly 6 million people
Source: Bleeping Computer
Overview
Carnival Corporation, the world’s largest cruise line operator, confirmed a data breach affecting nearly 6 million people. The breach was claimed by the ShinyHunters extortion gang in April 2026. Carnival employs over 160 000 staff and served around 13.5 million guests in 2024 across a fleet of more than 90 ships. The company operates nine major cruise brands—Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn—plus a travel tour company (Holland America Princess Alaska Tours), reporting revenues of over $26 billion last year.
Notification Details
The company began notifying 5,995,277 customers on Wednesday that threat actors stole their data in an April 10 breach after gaining access to some IT systems via a social‑engineering attack.
“On April 14 2026, the Company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the Company’s IT system,” the company said in its data‑breach notification letters.
“The Company acted swiftly to block the unauthorized activity and immediately began working with third‑party security experts to further strengthen our security and to conduct a thorough investigation. On April 22 2026, the Company first determined that the bad actor illegally copied personal information.”
ShinyHunters Claim
While Carnival has not officially attributed the attack, the ShinyHunters cybercrime group claimed responsibility, stating they stole documents containing over 8.7 million records of personally identifiable information and terabytes of internal corporate data.
Carnival on ShinyHunters leak site (BleepingComputer)
A Carnival spokesperson did not respond to BleepingComputer’s request for comment. However, the data‑breach notification service Have I Been Pwned analyzed the leaked data and reported that the breach exposed:
- Names
- Dates of birth
- Email addresses
- Genders
- Geographic locations
- Loyalty program details (Mariner Society loyalty program run by Holland America)
“The data contained fields indicating it related to the Mariner Society loyalty program … and included names, dates of birth, genders and data relating to status within the loyalty program,” Have I Been Pwned noted.
Context on ShinyHunters Activity
Over the past year, ShinyHunters has targeted Salesforce customers and claimed to have stolen billions of records in the Salesloft Drift campaign and the Salesforce Aura data‑theft attacks.
The FBI recently advised victims of ShinyHunters not to pay ransom demands, warning that payment does not guarantee the attackers will not attempt further extortion or sell the stolen data.
Previous Carnival Breaches
Carnival Corporation disclosed additional data breaches in:
- March 2020 – potential breach affecting customers, employees, and crew.
- June 2021 – breach exposing personal and financial information after threat actors accessed employee email accounts.
- August 2020 and December 2020 – ransomware incidents that stole personal information of customers and employees.
These incidents were reported by BleepingComputer and documented in public filings.