Skip to main content
Emerging ThreatsData Breaches

Carnival Cruise Breach Exposes 6 Million in Data Heist

Cruise ship terminal with people in background, laptop in foreground hinting at data breach.
"On April 14, 2026, the Company's IT security team identified unauthorized activity involving an employee's account." —Carnival Corporation, in breach notification letters to affected individuals.

Carnival's account and timeline

Carnival Corporation says threat actors gained access to parts of its IT systems via social engineering and copied personal information. The company states that unauthorized access began on April 10 and that its security team first identified suspicious activity on April 14. Carnival says it blocked the activity immediately, engaged third‑party security experts and on April 22 determined the intruder had illegally copied personal information. The company began notifying 5,995,277 customers "on Wednesday" that their data had been stolen, according to the breach notification letters.

Scale of the business and the incident

The disclosure affects a business that Carnival describes as the world's largest cruise line operator: more than 160,000 employees, a fleet of over 90 ships, roughly 13.5 million guests served in 2024, nine cruise brands and an associated tour company, and reported revenues of over $26 billion last year. Carnival operates the brands listed in its disclosure — Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland America Line, AIDA, Cunard, Seabourn — and Holland America Princess Alaska Tours.

What data appears to have been exposed

Carnival has not published a complete inventory of the stolen files within its notice, but third‑party analysis of material posted by the extortion gang points to specific personal fields. The data breach notification service Have I Been Pwned examined material that ShinyHunters published and reported the breach exposed names, dates of birth, email addresses, genders, geographic locations and loyalty program details. Have I Been Pwned noted the dataset contained fields indicating it related to the Mariner Society loyalty program run by Holland America, including status within the loyalty program.

ShinyHunters' claim and the group's recent activity

While Carnival has yet to attribute the attack to a named actor, the cybercrime group ShinyHunters claimed responsibility in April 2026. The group said it had stolen documents containing over 8.7 million records and terabytes of internal corporate data. A Carnival spokesperson did not respond when BleepingComputer reached out for confirmation of ShinyHunters' claim and for more details on the scope of the stolen data. Public reporting also places ShinyHunters in campaigns targeting Salesforce customers over the past year, including the Salesloft Drift and Salesforce Aura incidents, where the group claimed to have taken large volumes of records.

FBI advice, prior Carnival incidents, and ransomware history

The FBI has publicly warned victims of ShinyHunters not to pay ransom demands, advising that payment does not guarantee the data won't be sold or the victim won't be re‑extorted; that guidance was issued about two weeks before this breach notice. Carnival's disclosure also recalled prior incidents: the company reported breaches in March 2020 and June 2021 that exposed customer, employee and crew personal and financial information after threat actors gained access to employee email accounts. Ransomware actors additionally stole personal information from Carnival customers and employees after breaches in August 2020 and December 2020, the company has disclosed.

What this means for customers, security teams, and regulators

  • Customers: Nearly 6 million people have been notified; individuals whose records include names, dates of birth, email addresses, geographic locations or loyalty program status should monitor accounts tied to those credentials and follow any notifications Carnival issues about credit‑ or identity‑related protections.
  • Security teams and technologists: The intrusion was initiated via social engineering of an employee account and involved a multi‑day window between initial access and discovery. Teams will likely focus on controls for detecting account compromise, the effectiveness of incident containment workflows, and protections around sensitive program databases such as loyalty systems.
  • Regulators and compliance officers: Carnival's history of prior disclosures and the scale of this notification will be relevant to regulatory review and to any inquiries about notification timeliness, record‑keeping, and consumer protections tied to loyalty and travel programs.

The factual record in Carnival's notifications and third‑party analysis leaves firm elements in place: access via social engineering on April 10, detection on April 14, confirmation of data copying on April 22, and nearly 6 million customers notified. Remaining questions center on the full contents of the copied datasets and any formal attribution Carnival may make; the company has said it is working with outside experts and has begun notifications, but declined to comment to BleepingComputer when asked to confirm the ShinyHunters claim or to provide additional detail. For now, the immediate consequence is simple and concrete — millions of customers were told their personal data was taken, and authorities have urged victims not to capitulate to ransom demands.

Source: BleepingComputer — Carnival Cruise confirms data breach affecting nearly 6 million people