Back

Carnival Corporation Data Breach Affects Nearly 6 Million Customers

Severity: High (Score: 69.0)

Sources: Morningstar, Uk.Finance.Yahoo, Topclassactions, Prnewswire, Cybersecuritynews

Published: 2026-05-27 · Updated: 2026-05-28

Keywords: carnival, corporation, data, notice, breach, miami, prnewswire

Severity indicators: breach, data breach, ot, rat

Summary

Carnival Corporation reported a significant data breach affecting approximately 6 million customers due to a social engineering attack on an employee's account. The breach was detected on April 14, 2026, when unauthorized activity was identified. The attackers, linked to the ShinyHunters group, reportedly accessed sensitive personal information including names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers. Carnival began notifying affected individuals on May 27, 2026, offering two years of complimentary credit monitoring through TransUnion. The company is enhancing its security measures and has engaged third-party experts for further investigation. The breach is part of a larger trend of cyberattacks targeting various organizations, with ShinyHunters known for previous high-profile incidents. Legal actions are being pursued against Carnival for alleged failures in timely notification. Key Points: • Nearly 6 million customers affected by a data breach at Carnival Corporation. • The breach was caused by a social engineering attack on an employee's account. • Carnival is offering two years of free credit monitoring to affected individuals.

Detailed Analysis

**Impact** Nearly 6 million customers of Carnival Corporation were affected by the breach, including individuals associated with nine cruise line brands and a travel tour company primarily in the U.S. The compromised data includes names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as driver’s license and passport numbers. The breach exposes affected individuals to risks of identity theft and fraud. Carnival has offered two years of complimentary credit monitoring to U.S. customers and has faced a class action lawsuit alleging delayed notification and inadequate security measures. **Technical Details** The attack was initiated via social engineering targeting an employee, resulting in unauthorized access to a limited portion of Carnival’s IT systems detected on April 14, 2026. The threat actor copied personal data by April 22, 2026. The ShinyHunters cybercrime group claimed responsibility, though Carnival has not officially confirmed this attribution. No specific malware, CVEs, or infrastructure details were disclosed in the available reports. **Recommended Response** Organizations should enhance employee security awareness training to mitigate social engineering risks and enforce multi-factor authentication on employee accounts. Monitor for unusual account activity and access patterns indicative of credential compromise. Deploy detection rules for lateral movement and data exfiltration behaviors. Affected individuals should be advised to enroll in credit monitoring, review credit reports regularly, and report suspicious activity to authorities. No specific patches or IOCs were provided for direct blocking.

Source articles (9)

  • Carnival class action claims cruise line failed to notify customers of data breach — Topclassactions · 2026-05-25
    A new class action lawsuit alleges Carnival Corp. — which owns Carnival Cruise Line — failed to notify its customers that their personally identifiable information was stolen in a data breach. Plainti…
  • Carnival Corporation Notice of Data Breach — Prnewswire · 2026-05-27
    MIAMI , May 27, 2026 /PRNewswire/ -- Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident. This…
  • Carnival Corporation Notice of Data Breach — Morningstar · 2026-05-27
    MIAMI , May 27, 2026 /PRNewswire/ -- Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident. This…
  • Cruise operator Carnival discloses personal data breach — Uk.Finance.Yahoo · 2026-05-27
    May 27 (Reuters) - Cruise operator Carnival Corp said on Wednesday it had detected a cybersecurity ‌incident involving a compromised account of an employee ‌in April, leading to the leak of certain pe…
  • Carnival Cruise confirms data breach affecting nearly 6 million people — Bleepingcomputer · 2026-05-28
    Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026. The cruise line…
  • Carnival Cruise Data Breach Exposes Millions of Customers’ Personal Information — Cybersecuritynews · 2026-05-28
    Carnival Corporation, the world’s largest cruise company and parent of Carnival Cruise Line, has begun notifying customers of a significant cybersecurity breach that exposed sensitive personal data af…
  • Carnival confirms ShinyHunters cruised off with 6M customer records after April breach — Theregister · 2026-05-28
    Travel and leisure giant was just one of many victims of the cybercrooks' crime spree this year Carnival Corporation - the world's largest cruise operator - has confirmed a digital heist, a month afte…
  • Cruise giant Carnival confirms data breach affecting nearly 6 million people — Therecord.Media · 2026-05-28
    The company said the threat actor gained access to a limited portion of its IT environment last month after compromising an employee account. By the end of April, Carnival determined that the attacker…
  • Carnival Data Breach Exposes Names, Addresses And Government ID Numbers After ... — Benzinga · 2026-05-28
    A cybersecurity incident at cruise operator Carnival Corp. (NYSE: CCL ) exposed sensitive personal information after attackers gained access through a compromised employee account in a social engineer…

Timeline

  • 2026-04-10 — Data breach occurred: Unauthorized access to Carnival's IT systems was achieved through social engineering.
  • 2026-04-14 — Unauthorized activity detected: Carnival's IT security team identified unauthorized access involving an employee's account.
  • 2026-04-22 — Data analysis revealed breach details: Carnival confirmed that personal information had been illegally copied from its systems.
  • 2026-05-27 — Notifications sent to affected individuals: Carnival began notifying nearly 6 million customers about the breach and offered credit monitoring services.
  • 2026-05-28 — Legal action initiated: A class action lawsuit was filed against Carnival for failing to notify customers promptly about the breach.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Salesforce Aura Data Theft Attacks (Campaign)
  • Salesloft Drift Campaign (Campaign)
  • Carnival (Company)
  • Carnival Corp (Company)
  • Carnival Corporation (Company)
  • Carnival Cruise Line (Company)
  • Choice Hotels (Company)
  • Holland America Line (Company)
  • Princess Cruises (Company)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • dc.gov (Domain)
  • shutterstock.com (Domain)
  • [email protected] (Email)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • ShinyHunters (Apt Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed