Back

Carnival Corporation Data Breach Exposes Personal Information of Customers

Severity: High (Score: 69.0)

Sources: Prnewswire, Morningstar, Uk.Finance.Yahoo, Topclassactions

Published: 2026-05-27 · Updated: 2026-05-28

Keywords: carnival, corporation, data, notice, breach, miami, prnewswire

Severity indicators: breach, data breach, ot, rat

Summary

Carnival Corporation reported a data breach on May 27, 2026, affecting individuals whose personal information was compromised in an incident identified on April 14, 2026. The breach involved unauthorized access to an employee's account through social engineering tactics. Personal information accessed includes names, addresses, email addresses, phone numbers, dates of birth, and government-issued IDs. The company is notifying affected individuals via email and offering two years of free credit monitoring through TransUnion. A class action lawsuit has been filed against Carnival for failing to notify customers in a timely manner, alleging negligence and violations of consumer laws. The breach reportedly involved the theft of over 8.7 million records by a ransomware group. Carnival has taken steps to enhance security measures and is cooperating with third-party security experts for further investigation. Key Points: • Carnival Corporation's data breach involved unauthorized access to employee accounts via social engineering. • Personal information of over 8.7 million individuals was compromised, including sensitive data. • The company is offering two years of free credit monitoring to affected individuals.

Detailed Analysis

**Impact** The breach affected over 8.7 million records containing personally identifiable information (PII) of Carnival Corporation customers, primarily in the United States. Exposed data includes names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as driver’s license and passport numbers. The incident has led to a class action lawsuit alleging negligence and delayed notification, with potential financial and reputational damage to Carnival. U.S. customers are offered two years of complimentary credit monitoring through TransUnion. **Technical Details** The attack involved social engineering targeting an employee to gain unauthorized access to a limited portion of Carnival’s IT systems. The unauthorized activity was identified on April 14, 2026, and quickly blocked. No specific malware, CVEs, or infrastructure details were disclosed. The compromise occurred at the initial access and credential access stages of the kill chain, leveraging human manipulation rather than technical exploits. No IOCs were provided in the available reports. **Recommended Response** Organizations should enhance employee security awareness training to mitigate social engineering risks and implement multi-factor authentication to protect employee accounts. Continuous monitoring for unusual account activity and rapid incident response protocols are critical. Affected individuals should be advised to enroll in credit monitoring services and monitor financial statements for fraud. No specific patches or technical mitigations were detailed in the sources.

Source articles (4)

  • Carnival class action claims cruise line failed to notify customers of data breach — Topclassactions · 2026-05-25
    A new class action lawsuit alleges Carnival Corp. — which owns Carnival Cruise Line — failed to notify its customers that their personally identifiable information was stolen in a data breach. Plainti…
  • Carnival Corporation Notice of Data Breach — Prnewswire · 2026-05-27
    MIAMI , May 27, 2026 /PRNewswire/ -- Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident. This…
  • Carnival Corporation Notice of Data Breach — Morningstar · 2026-05-27
    MIAMI , May 27, 2026 /PRNewswire/ -- Carnival Corporation today announced that notification letters have been sent to individuals whose data was impacted in the April 2026 cybersecurity incident. This…
  • Cruise operator Carnival discloses personal data breach — Uk.Finance.Yahoo · 2026-05-27
    May 27 (Reuters) - Cruise operator Carnival Corp said on Wednesday it had detected a cybersecurity ‌incident involving a compromised account of an employee ‌in April, leading to the leak of certain pe…

Timeline

  • 2026-04-14 — Unauthorized access detected: Carnival's IT security team identified unauthorized activity involving an employee's account, leading to a data breach.
  • 2026-04-18 — Data breach occurred: The breach allegedly involved the theft of over 8.7 million records by the ransomware group ShinyHunters.
  • 2026-05-27 — Public notification issued: Carnival announced the breach and began notifying affected individuals via email, offering credit monitoring services.
  • 2026-05-27 — Class action lawsuit filed: A lawsuit was filed against Carnival for failing to notify customers of the data breach in a timely manner.
  • 2026-05-27 — Security measures enhanced: Carnival stated it has strengthened its security and monitoring controls following the breach.

Related entities

  • Data Breach (Attack Type)
  • Carnival Corp (Company)
  • Carnival Cruise Line (Company)
  • Choice Hotels (Company)
  • Holland America Line (Company)
  • Princess Cruises (Company)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • dc.gov (Domain)
  • [email protected] (Email)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • ShinyHunters (Apt Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed