Carnival Cruise Confirms 6 Million Customer Records Stolen

Carnival Corporation confirmed a data breach affecting nearly 6 million individuals after the ShinyHunters hacking group leaked customer records on their extortion portal. The exposed data includes names, passport numbers, driver's license numbers, and other sensitive personal information.

The cruise operator filed breach notifications with Maine's attorney general this week, acknowledging that attackers accessed "a limited portion of its IT environment" following a phishing attack in April 2026.

How the Breach Happened

The attack began with a phishing email. An attacker used social engineering to compromise a single employee account, gaining access to internal systems where customer data was stored.

Carnival's security team detected unauthorized activity on April 14, 2026. By the end of April, they determined that attackers had copied personal information belonging to customers, though the company hasn't disclosed exactly which systems were accessed or how long attackers maintained persistence.

ShinyHunters listed Carnival on their "pay or leak" portal on April 18, giving the company an extortion deadline. When Carnival apparently didn't pay, the group released approximately 8.7 million records, including data from the Mariner Society loyalty program operated by Holland America Line, a Carnival subsidiary.

What Data Was Exposed

The stolen information varies by individual but includes:

• Full names
• Physical addresses
• Email addresses
• Phone numbers
• Dates of birth
• Driver's license numbers
• Passport numbers

This combination is particularly dangerous. Passport and driver's license data enables identity theft at a level that's difficult to remediate—you can change passwords, but you can't easily change your passport number.

ShinyHunters' Ongoing Campaign

ShinyHunters has been on a tear lately. We covered their 7-Eleven Salesforce breach last week, where they extracted 600,000 franchise records. The group's Charter Communications attack in late May exposed 42 million Spectrum customer records.

The group operates a consistent playbook: gain access through credential theft or application vulnerabilities, exfiltrate data, list the victim on their leak site with a payment deadline, and dump the data publicly when victims don't pay. It's extortion without ransomware—they don't encrypt anything, just steal and threaten.

According to Recorded Future's reporting, Carnival hasn't publicly attributed the attack to ShinyHunters, but the group's leak site listing and subsequent data dump leave little doubt about who was responsible.

Carnival's Troubled Security History

This isn't Carnival's first breach. The company suffered attacks in 2019 and 2021, resulting in a $1.25 million regulatory fine. Multiple state attorneys general investigated those incidents, and Carnival entered settlement agreements requiring security improvements.

Three breaches in under a decade suggests systemic issues rather than bad luck. When phishing continues to work—especially against an organization with a documented breach history—questions about security awareness training and email security controls become unavoidable.

What Affected Customers Should Do

Carnival is offering eligible U.S. residents two years of complimentary credit monitoring through TransUnion. If you've cruised with Carnival, Holland America Line, or related brands, you should:

1. Enroll in credit monitoring — Use the service Carnival is offering
2. Place a fraud alert — Contact one of the three credit bureaus to add a fraud alert to your credit file
3. Consider a credit freeze — This prevents new accounts from being opened in your name
4. Watch for phishing — Attackers may use stolen data to craft convincing phishing emails targeting you specifically
5. Monitor passport usage — If your passport number was exposed, watch for any suspicious activity and consider reporting to authorities if you travel internationally

Why This Matters

Six million records containing passport data is a significant intelligence trove. Beyond garden-variety identity theft, passport information has value for nation-state actors, immigration fraud, and targeted operations against specific individuals.

For organizations, this breach reinforces an uncomfortable truth: phishing remains devastatingly effective. A single compromised employee account—not a sophisticated zero-day, not a supply chain attack—was enough to expose millions of customer records.

Employee security awareness isn't optional anymore. It's a control that, when it fails, leads directly to breach notifications and regulatory scrutiny.

---

Carnival's breach notification was filed with Maine's Office of the Attorney General. Additional reporting from The Record and Malwarebytes.