Carnival Data Breach Exposed 6 Million People

Summary

Carnival Corporation notified approximately 6 million individuals of a data breach discovered on April 14, after hackers used social engineering to compromise an employee account and access company systems. The stolen data includes names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers. The extortion group ShinyHunters claimed responsibility and publicly leaked 8.7 million records in late April, with roughly 7.5 million accounts from Carnival's Holland America Mariner Society loyalty program confirmed affected.

Full text

Cruise line operator Carnival Corporation is notifying approximately 6 million individuals that their personal information was stolen in a recent data breach. Carnival said the incident was identified on April 14, after hackers gained access to an employee’s account via social engineering. Using the compromised account, the attackers accessed certain company systems and exfiltrated files containing personal information. “The company has been conducting a thorough and time-consuming analysis of the impacted files to determine what personal information they contained and to whom that information belongs,” an incident notice on Carnival’s website reads. According to the company, the potentially impacted information varies by individual, but generally includes names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers. On Wednesday, Carnival informed the Maine Attorney General’s Office that 5,995,277 people were affected and that it was providing them with 24 months of free credit monitoring services.Advertisement. Scroll to continue reading. While the company has not shared further details on the attack, the incident was claimed last month by the infamous extortion group ShinyHunters. On its leak site, the hacking gang claimed the theft of 8.7 million records from Carnival’s systems, and made the data publicly available in late April. According to data breach notification website HaveIBeenPwned, which analyzed the leaked dataset, roughly 7.5 million accounts related to the Mariner Society loyalty program run by Carnival cruise line brand Holland America were likely affected. The leaked information included names, email addresses, dates of birth, gender, geographic locations, and loyalty program details. SecurityWeek has emailed Carnival for additional information on the matter and will update this article if the company responds. “From a defensive perspective, companies should treat social engineering resilience as a core cybersecurity control rather than an awareness exercise. That includes phishing-resistant MFA, stronger identity verification processes for internal requests, conditional access policies, privileged access segmentation, continuous behavioral monitoring, and regular red-team simulations focused specifically on human-centric attack paths,” SOCRadar CISO Ensar Seker points out. Since 2020, Carnival has disclosed several data breaches. The company was hacked in 2019, fell victim to a ransomware attack in 2020, and was hacked again in March 2021. Related: 185,000 Likely Impacted by 7-Eleven Data Breach Related: Oncology Institute Discloses Data Breach Related: 266,000 Affected by Data Breach at Radiology Associates of Richmond Related: DocketWise Data Breach Impacts 143,000 Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software BinariesGlassWorm Botnet DisruptedFBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal DataCISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-DayIranian APT Targets Aviation, Software Companies With Updated Tools185,000 Likely Impacted by 7-Eleven Data BreachHackers Exploited KnowledgeDeliver Zero-Day for Web Shell DeploymentAdmins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands Latest News New BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh AttacksIBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”New Edamame Platform Aims to Catch AI Coding Agents Going Off the RailsGitea Vulnerability Exposed 30,000 Deployments to AttacksRaising the Cybersecurity Stakes: Ante up for the Agentic EraGoogle Unveils AI Threat Defense Platform to Fight AI-Powered CyberattacksUK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Entities