Carnival breach exposes data of nearly 6 million travelers
Carnival Corporation confirmed a data breach affecting nearly 6 million travelers after a social engineering attack on an employee account, with disclosure delayed by six weeks due to forensic analysis. The extortion group ShinyHunters claimed responsibility, alleging stolen data from the Mariner Society loyalty program tied to multiple Carnival cruise brands, including Holland America Line.
Carnival Corporation has confirmed a data breach exposing nearly 6 million individuals, including 9,746 Maine residents, after a social engineering attack on an employee account in April 2026. The breach involved names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers like driver’s license and passport numbers. Carnival detected unauthorized activity on April 14, 2026, and confirmed data theft by April 22, but delayed public disclosure until May 27, citing the need for thorough file analysis and personalized notifications. The company stated it blocked the attack, engaged third-party security experts, and alerted law enforcement. Affected individuals are being notified via email, with eligible U.S. residents offered two years of free credit monitoring through TransUnion’s MyTrueIdentity platform. A dedicated call center (1-844-593-8310) has been set up to assist with enrollment and inquiries. The extortion group ShinyHunters claimed responsibility, listing Carnival on its pay-or-leak portal in April 2026 and alleging theft of over 8.7 million records, including loyalty program data from Holland America Line’s Mariner Society. While Carnival reported 5.99 million affected individuals, Have I Been Pwned analyzed leaked data and found 8.7 million records with 7.5 million unique email addresses linked to the loyalty program. The breach extends beyond Carnival’s direct customers, as the company operates nine cruise brands, including Carnival Cruise Line, Princess Cruises, and Cunard. Travelers who booked with any of these brands may be affected, even if they did not identify as Carnival customers. ShinyHunters has previously targeted industries like food, music, and education, often using voice phishing to obtain credentials before accessing cloud systems. Carnival has added new security layers and monitoring to prevent future incidents, though the delay in disclosure raised concerns about transparency. The company expressed regret for any distress caused and emphasized its commitment to protecting customer data moving forward.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.