Carnival Data Breach Exposed 6 Million People

Carnival Corporation notified 6 million people that their personal data was compromised in a cyberattack identified on April 14. Hackers exploited an employee’s account through social engineering, accessing company systems and extracting files containing names, addresses, dates of birth, email addresses, phone numbers, and government-issued IDs. The breach was linked to the extortion group ShinyHunters, which claimed to have stolen 8.7 million records and made the data public in late April. However, Carnival reported 5,995,277 affected individuals to the Maine Attorney General’s Office, offering 24 months of free credit monitoring. A separate analysis by HaveIBeenPwned suggested 7.5 million Mariner Society loyalty program accounts were impacted, including names, email addresses, birth dates, and loyalty details. The company stated it conducted a thorough review to determine the scope of exposed data. While Carnival has not disclosed further technical details, the incident follows a pattern of repeated breaches, including a 2019 hack, a 2020 ransomware attack, and another breach in March 2021. Security experts emphasized the need for stronger defenses against social engineering, such as multi-factor authentication and behavioral monitoring. This is the latest in a series of high-profile data breaches affecting major corporations. Carnival’s response includes notifying affected individuals and collaborating with authorities, though the full extent of the attack remains under investigation.