Skip to content
Tech News
← Back to articles

Carnival Cruise confirms data breach affecting nearly 6 million people

2026-05-28 | original
read original get Carnival Cruise Data Breach Kit → more articles
Why This Matters

The Carnival data breach affecting nearly 6 million people highlights the ongoing cybersecurity risks faced by large corporations in the travel industry. It underscores the importance of robust security measures to protect sensitive customer data and maintain trust in the digital age. This incident serves as a reminder for consumers to remain vigilant about their personal information and for companies to strengthen their cybersecurity defenses.

Key Takeaways

Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026.

The cruise line giant has over 160,000 employees and served around 13.5 million guests in 2024 via a fleet of over 90 ships.

Carnival operates nine of the world's leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours), and it reported revenues of over $26 billion last year.

The company started notifying 5,995,277 customers on Wednesday that threat actors stole their data in an April 10 breach after gaining access to some of its IT systems in a social engineering attack.

"On April 14, 2026, the Company's IT security team identified unauthorized activity involving an employee's account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the Company's IT system," the company said in data breach notification letters sent to affected individuals.

"The Company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen our security and to conduct a thorough investigation. On April 22, 2026, the Company first determined that the bad actor illegally copied personal information."

While Carnival has yet to attribute the attack, the ShinyHunters cybercrime group claimed responsibility for the breach in April, saying they stole documents containing over 8.7 million records with personally identifiable information and terabytes of internal corporate data.

Carnival on ShinyHunters leak site (BleepingComputer)

Although a Carnival spokesperson didn't reply when BleepingComputer reached out to confirm ShinyHunters' claims and for more details on what data was stolen in the attack, data breach notification service Have I Been Pwned analyzed the data leaked by the extortion gang and said the breach exposed affected people's names, dates of birth, email addresses, genders, geographic locations, and loyalty program details.

"The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program," Have I Been Pwned noted.

... continue reading

Explore topics: carnival cruise line shinyhunters data breach social engineering holland america
Related:
A security lapse at prison pay phone service Pay Tel publicly exposed over 300K callers’ driver’s licenses
Ransomware Actors Show Up In Person to Steal Law Firm Data
UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us
A Krispy Kreme data breach may qualify thousands of Americans for payouts over $3,000
UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak

© 2026 GoKawiil

About | Editorial Policy | Contact