Carnival Corporation, the world’s largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026.
The cruise line giant has over 160,000 employees and served around 13.5 million guests in 2024 via a fleet of over 90 ships.
Carnival operates nine of the world’s leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours), and it reported revenues of over $26 billion last year.
The company started notifying 5,995,277 customers on Wednesday that threat actors stole their data in an April 10 breach after gaining access to some of its IT systems in a social engineering attack.
“On April 14, 2026, the Company’s IT security team identified unauthorized activity involving an employee’s account. An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the Company’s IT system,” the company said in data breach notification letters sent to affected individuals.
“The Company acted swiftly to block the unauthorized activity and immediately began working with third party security experts to further strengthen our security and to conduct a thorough investigation. On April 22, 2026, the Company first determined that the bad actor illegally copied personal information.”
While Carnival has yet to attribute the attack, the ShinyHunters cybercrime group claimed responsibility for the breach in April, saying they stole documents containing over 8.7 million records with personally identifiable information and terabytes of internal corporate data.
Although a Carnival spokesperson didn’t reply when BleepingComputer reached out to confirm ShinyHunters’ claims and for more details on what data was stolen in the attack, data breach notification service Have I Been Pwned analyzed the data leaked by the extortion gang and said the breach exposed affected people’s names, dates of birth, email addresses, genders, geographic locations, and loyalty program details.
“The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program,” Have I Been Pwned noted.
Over the past year, ShinyHunters has been targeting Salesforce customers and has breached hundreds of companies worldwide, claiming to have stolen billions of records in the Salesloft Drift campaign and the Salesforce Aura data theft attacks.
The FBI advised ShinyHunters’ victims two weeks ago not to pay the attackers’ ransom demands, after previously warning that doing so does not guarantee the threat actors won’t attempt to extort the victims again or sell the stolen data to other cybercriminals.
Carnival Corporation disclosed other data breaches in March 2020 and June 2021 that exposed personal and financial information belonging to customers, employees, and crew after threat actors gained access to Carnival employees’ email accounts.
Ransomware gangs also stole the personal information of Carnival customers and employees after breaching the company’s systems in August 2020 and December 2020.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
