Carnival Corporation confirms April data breach exposed nearly 6 million customers' personal data

Carnival Corporation, the world's largest cruise line operator, has confirmed that a social engineering attack in April exposed the personal data of nearly 6 million customers. The company began sending breach notification letters this week to 5,995,277 affected individuals — a figure drawn from the company's mandatory disclosure to the Maine Attorney General's office.

The breach occurred on April 10, 2026, when an attacker used social engineering techniques to deceive an employee into granting access to a portion of the company's IT systems. Carnival's security team detected the unauthorized activity four days later, on April 14. The company confirmed on April 22 that data had been exfiltrated.

What was stolen

Carnival has not fully specified the data categories affected in its notification letters beyond describing them as personal information. However, breach notification analysis service Have I Been Pwned reviewed data leaked by ShinyHunters — the cybercrime group that claimed responsibility for the attack in April — and found that the exposed records contain names, dates of birth, email addresses, genders, and geographic locations. The data also includes loyalty program information specifically related to the Mariner Society program operated by Holland America Line, one of Carnival's nine cruise line brands.

ShinyHunters claimed in April that it had stolen 8.7 million records and terabytes of internal corporate data. The discrepancy between the claimed 8.7 million records and Carnival's notification count of 5.99 million may reflect that not all exfiltrated records contained sufficient identifying information to require individual notification, or that some records belonged to employees or crew rather than customers.

ShinyHunters' escalating campaign

ShinyHunters is a prolific extortion group that has been targeting enterprise organizations at scale. Over the past year, the group has claimed breaches at hundreds of companies through attacks on Salesforce customers, executing what researchers have described as the "Salesloft Drift campaign" and "Salesforce Aura data theft attacks." The group's typical approach is to demand a ransom for not publishing the stolen data; if victims don't pay, the data is listed on criminal marketplaces.

The FBI issued a public advisory in mid-May 2026 specifically advising ShinyHunters' victims not to pay ransom demands, noting that payment does not guarantee data won't be sold to other criminal actors or used in future extortion attempts. It is not confirmed whether Carnival received a ransom demand or whether any payment was made.

A company with a pattern

This is at minimum Carnival's fourth publicly confirmed data breach since 2020. In March 2020, attackers accessed employee email accounts containing customer and crew personal information. In August 2020, a ransomware attack compromised customer and employee data. A second ransomware incident in December 2020 caused further exposure. In June 2021, another email account compromise led to a breach notification.

The recurrence raises questions about the company's security posture. Carnival operates a fleet of over 90 ships, employs over 160,000 people, and reported $26 billion in revenue last year. The company serves approximately 13.5 million guests annually across brands including Carnival Cruise Line, Princess Cruises, Holland America Line, Costa, P&O Cruises, Cunard, AIDA, and Seabourn. The scale of the operation — and the volume of guest data it holds — makes it a high-value target for financially motivated threat actors.

Social engineering as an initial attack vector is consistent with a broader trend in enterprise breaches. Rather than exploiting software vulnerabilities, attackers manipulate employees into granting access — a technique that is effective because it bypasses technical controls and exploits human judgment under pressure. The April 10 Carnival breach follows a pattern seen in major breaches at MGM Resorts, Caesars Entertainment, and Uber, all of which began with social engineering attacks against helpdesk or IT staff.

What affected customers should do

Customers who receive a breach notification from Carnival should treat it as a real letter — the Maine AG filing confirms the scale and legitimacy of the notification. The data exposed (name, email, date of birth, gender, location, loyalty program status) is valuable for targeted phishing attacks and identity verification fraud. Affected individuals should be alert to unsolicited contact claiming to be from Carnival or its brands, particularly requests to click links, verify account details, or log in via email.

Loyalty program account passwords should be changed, and any reused passwords across other services should be updated immediately. Two-factor authentication should be enabled on any Carnival brand accounts where it is available. Have I Been Pwned has indexed the breach, so customers can check whether their email appears in the leaked data at haveibeenpwned.com.