Carnival Corporation, one of the world’s largest cruise operators, confirmed a data breach weeks after the ShinyHunters hacking group claimed it had stolen millions of customer records.
Carnival acknowledged a phishing incident involving a single employee account and stated that it was investigating the scope of the unauthorized activity.
“On April 14, 2026, the company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of the company’s IT system,” the company said.
According to Have I Been Pwned, the ShinyHunters hacking group listed Carnival Corporation on its “pay or leak” portal on April 18 and claimed it had stolen customer data belonging to the cruise operator.
The leak allegedly contained 8.7 million records with 7.5 million unique email addresses and included fields indicating the data related to the Mariner Society loyalty program operated by Holland America Line, a Carnival Corporation subsidiary.
The exposed information included names, dates of birth, genders, email addresses, and loyalty program status information.
However, in a data breach notice filed with Maine authorities, Carnival stated that the incident affected 5,995,277 people.
Carnival began notifying affected individuals on May 27, 2026, and is offering eligible U.S. residents two years of complimentary credit monitoring services through TransUnion following the incident.
“In addition to the security measures already in place before the incident, the company has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. The company will continue advancing its IT security and data privacy controls to address evolving threats,” the company concluded.
Let’s hope those additional security measures work this time, because this is not the first time cybercriminals have breached Carnival’s systems.
