Carnival Corporation Data Breach Hits Nearly 6 Million Customers

Carnival Corporation, the world's largest cruise operator, has confirmed a data breach affecting nearly six million customers. The breach, which began on April 10, 2026, gave attackers access to personal data held across several of the company's major cruise brands. Notifications went out to 5,995,277 affected individuals starting May 27, more than six weeks after the initial intrusion.

The Carnival Corporation data breach was carried out through social engineering. An attacker deceived an employee into handing over access credentials, which opened a door into a portion of the company's internal IT systems. The security team detected the unauthorized activity on April 14. By April 22, Carnival had confirmed that personal data had been copied and removed.

What Data Was Taken

The stolen records include names, email addresses, dates of birth, genders, geographic locations, loyalty program details, and salutations. Financial data and passport numbers have not been confirmed as part of the exposure, but the combination of personal identifiers in the stolen set creates real risk for phishing attacks and identity fraud targeting affected customers.

Breach notification service Have I Been Pwned analyzed the data shortly after the breach came to light and identified 7.5 million unique records appearing to originate from the Mariner Society, the loyalty program operated by Holland America Line. Carnival operates nine cruise brands in total, including Princess Cruises, Costa, Cunard, P&O Cruises, and AIDA, alongside Holland America Line. The company reported revenues of over $26 billion in 2025 and carried around 13.5 million guests across its fleet.

ShinyHunters Claims Responsibility

The extortion group ShinyHunters claimed the attack in April, listing Carnival on its pay-or-leak portal on April 18 with a deadline of April 21. The group alleged it had stolen over 8.7 million records containing personally identifiable information, along with terabytes of internal corporate data. Carnival has not publicly confirmed or denied ShinyHunters' involvement, and the company did not respond to press inquiries on the attribution.

ShinyHunters has been one of the most prolific threat actors operating in 2025 and 2026. The group has claimed hundreds of victims across industries, including SoundCloud, Panera Bread, McGraw-Hill, and Instructure, the company behind the Canvas learning management system. Their methods have shifted over time, with recent campaigns exploiting misconfigured Salesforce instances, stolen OAuth tokens, and voice phishing techniques alongside more conventional credential theft.

Carnival's Response

Carnival blocked the unauthorized access after detecting it and brought in third-party security experts to investigate. The company has since enhanced its monitoring controls and says it has taken additional steps to strengthen its systems.

Affected customers in the United States are being offered two years of complimentary credit monitoring through TransUnion. Notifications are going out by email where contact information is available. For individuals the company cannot reach directly, Carnival published a public notice on May 27 for those with outdated or missing contact details on file.

A Repeat Target

This is not Carnival's first encounter with a serious data breach. In 2020, attackers accessed employee email accounts and exposed the personal data of approximately 180,000 guests and staff, including names, addresses, passport numbers, and payment card information. That incident resulted in a $1.25 million multistate settlement in 2022, with Carnival required to strengthen its security practices as part of the agreement.

Three separate class action lawsuits were filed against Carnival between April 22 and April 24, 2026, in the U.S. District Court for the Southern District of Florida. The plaintiffs allege negligence and inadequate cybersecurity protocols, and accuse the company of failing to notify affected individuals quickly enough. They are seeking financial compensation, lifetime credit monitoring, and a court order requiring Carnival to overhaul its security posture.

What Affected Customers Should Do

Anyone who has sailed with a Carnival brand and has not received a notification should monitor their accounts closely regardless. The stolen data is enough to support convincing phishing attempts, and loyalty program credentials are particularly useful to attackers looking to access accounts with stored payment details or booking histories.

Affected individuals should treat unexpected emails referencing their Carnival booking or loyalty program with caution, even if those messages appear legitimate. Enrolling in the TransUnion credit monitoring offer is advisable for U.S. customers. Changing passwords on any accounts where the same credentials were used elsewhere is also a sensible precaution, particularly for loyalty program accounts shared across Carnival's nine brands.

The breach is a reminder that social engineering remains one of the most effective tools in an attacker's arsenal. A single deceived employee was enough to expose the personal records of six million people across one of the world's largest travel companies.