Carnival Corporation has confirmed a data breach that affected nearly 6 million people, and the fallout could reach travelers who do not even think of themselves as Carnival customers.
The company said the incident began with a social engineering attack on a single employee account. According to Carnival Corporation, an unauthorized actor deceived a worker and gained access to a limited part of its IT system, where personal information was illegally copied.
State breach filings show 5,995,277 people were affected. A report to the Maine Attorney General listed 9,746 Maine residents among them. The exact mix of data varies by person, but the information known to be involved includes names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, including driver’s license and passport numbers.
A six-week gap between detection and disclosure
The timeline matters. Carnival said its IT security team detected unauthorized activity tied to an employee account on April 14, 2026, and moved quickly to block it. By April 22, 2026, the company had confirmed that personal data was illegally copied. Notification letters and a dedicated incident webpage did not go out until May 27, 2026, nearly six weeks after detection.
Carnival attributed the delay to the time needed for a thorough file analysis, matching specific data elements to individuals before sending personalized notices. The company said it blocked the activity, brought in third-party security experts and alerted law enforcement.
A Carnival spokesperson said the company deeply regrets any concern the incident causes and that it has added new layers of security and monitoring on top of protections already in place. Carnival is notifying affected individuals by email and is offering eligible U.S. residents two years of complimentary credit monitoring through TransUnion and its MyTrueIdentity platform. A dedicated TransUnion call center has been set up at 1-844-593-8310 to help with enrollment and questions.
The hacking group claiming responsibility
While Carnival has not publicly attributed the attack, the extortion group ShinyHunters claimed responsibility in April 2026. The group listed Carnival on its pay-or-leak portal on April 18 with a short ransom deadline, alleging it had stolen more than 8.7 million records of personal data along with terabytes of internal corporate files. After its extortion attempt failed, the group is reported to have published the stolen data.
The breach-checking service Have I Been Pwned said it analysed leaked data published by ShinyHunters and found 8.7 million records with about 7.5 million unique email addresses. The data appeared tied to the Mariner Society loyalty programme run by Holland America Line and included names, dates of birth, email addresses, genders, geographic locations, salutations and loyalty details.
That brand link is why this matters beyond the Carnival name. The company operates nine cruise brands, including Carnival Cruise Line, Princess Cruises, Holland America Line, Cunard, Costa Cruises, AIDA, P&O Cruises, P&O Australia and Seabourn. Someone who sailed with one of those lines may be affected even if they never consider themselves a Carnival customer.
Part of a wider extortion wave
ShinyHunters has been one of the most prolific threat actors operating in 2025 and 2026, claiming victims across many industries including SoundCloud, Panera Bread and Instructure, the company behind the Canvas learning platform. Rather than exploiting software flaws, the group typically relies on voice phishing, tricking staff into handing over single sign-on credentials, then abusing OAuth tokens and SaaS integrations to pull data from cloud systems such as Salesforce. The group has also been linked to wider data theft and extortion activity involving Salesforce customers.
The FBI has warned victims not to pay ransom demands from the group, saying payment does not guarantee stolen data will be deleted or stop further extortion attempts.
A repeat pattern for the cruise giant
This is not the first time Carnival has faced a cybersecurity incident. Between 2019 and 2021, the company reported four separate events to the New York Department of Financial Services, including two ransomware attacks and a phishing incident in which attackers deployed malware, encrypted internal systems and stole customer and employee information. Those earlier cases do not mean every customer will face fraud, but they show how old travel accounts can stay useful to criminals long after a trip ends.
Why the risk continues after the breach
For passengers, the main danger now is not only the breach itself but what comes after it. Even without payment card details, criminals can use names, birthdays and loyalty information to write emails, texts or phone calls that look genuine. A loyalty account can connect a traveler’s name, email, date of birth, travel history and brand preferences, giving scammers material to build convincing messages. Fraudsters often strike when people are distracted, excited about travel or less likely to question a note about a booking, refund or upgrade.
Several law firms have already begun investigating potential class action claims tied to the incident.
What affected travelers should do
Security experts advise people who think they may be affected to enroll in the offered TransUnion credit monitoring, change passwords on any linked accounts and turn on two-factor authentication where possible. Watch for messages asking you to click links, confirm passport details or log in, and check that the sender address matches the company’s official domain. Be cautious of calls claiming to come from a cruise line, since stolen personal details can make a scam sound legitimate, and avoid acting on pressure or urgency.
Photo Credit: Frame Stock Footage / Shutterstock.com
