Carnival Corporation has confirmed a significant data breach affecting approximately 6 million individuals, stemming from a social engineering attack that occurred in April 2026. The incident, claimed by the notorious extortion group ShinyHunters, resulted in the theft of sensitive personal information. Maine’s attorney general’s office has indicated that nearly 6 million individuals may have had their data exposed, highlighting the scale of the breach.
According to Carnival, the initial access was gained through a social engineering tactic, tricking an employee into granting access to IT systems. A compromised account then accessed a limited portion of the company’s systems, leading to the copying of personal data. The stolen data includes a range of sensitive information, such as names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, and passport numbers. Template letters using placeholder fields for stolen data elements were observed.
ShinyHunters made the stolen data publicly available in late April 2026, escalating concerns about the potential misuse of the compromised information. The group is known for targeting various organizations and demanding ransom payments in exchange for the data. Carnival reported the breach impacting nearly 6 million people, highlighting the swiftness of the attack and the subsequent response.
Regulatory bodies are likely to scrutinize Carnival’s cybersecurity practices following this incident. This breach serves as a stark reminder of the increasing threat posed by social engineering attacks and the importance of robust security protocols to protect sensitive customer data. Cruise operator Carnival confirmed hackers stole personal information, including passport and driver’s license details, in an April cyberattack.
Investigations are ongoing to determine the full extent of the damage and to implement measures to prevent future incidents. Carnival Corporation is working to notify affected individuals and provide support to mitigate the potential risks associated with the data breach. The incident underscores the need for continuous vigilance and investment in cybersecurity defenses across all industries, particularly those handling large volumes of personal data.
Sources: