Carnival Confirms Data Breach Affecting 6 Million Customers

Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people that was claimed by the ShinyHunters extortion gang in April 2026. The company, which operates nine leading cruise brands including Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland America Line, AIDA, Cunard, and Seabourn, plus Holland America Princess Alaska Tours, began notifying 5,995,277 customers on Wednesday.

The breach occurred after threat actors gained access to the company's IT systems through a social engineering attack. On April 14, 2026, Carnival's IT security team identified unauthorized activity involving an employee's account. The unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of the company's IT system.

Carnival acted swiftly to block the unauthorized activity and engaged third-party security experts to strengthen security and conduct an investigation. On April 22, 2026, the company determined that the bad actor had illegally copied personal information. The company started notifying affected individuals that their data was stolen in an April 10 breach.

Have I Been Pwned analyzed the data leaked by the extortion gang and determined the breach exposed names, dates of birth, email addresses, genders, geographic locations, and loyalty program details. The data related to the Mariner Society loyalty program run by Holland America, a Carnival brand, and included status information within the program. ShinyHunters claimed responsibility for stealing over 8.7 million records containing personally identifiable information along with terabytes of internal corporate data.

Over the past year, ShinyHunters has targeted Salesforce customers and breached hundreds of companies worldwide. The group has claimed to have stolen billions of records in campaigns including Salesloft Drift and Salesforce Aura data theft attacks. The FBI advised ShinyHunters' victims two weeks ago not to pay the attackers' ransom demands, warning that payment does not guarantee the data will not be exploited again or sold to others.

Carnival Corporation has a workforce of over 160,000 employees and served around 13.5 million guests in 2024 with a fleet of over 90 ships. It reported revenues of over $26 billion last year. The company previously disclosed data breaches in March 2020 and June 2021 that exposed personal and financial information of customers, employees, and crew after unauthorized access to employee email accounts. Ransomware gangs also stole personal information after breaching Carnival systems in August 2020 and December 2020.