Carnival Corporation has confirmed it experienced a data breach after the the ShinyHunters ransomware group claimed responsibility for an attack in April 2026. The incident was caused by a social engineering attack targeting an employee device, enabling the malicious actor to gain access to a portion of the company’s internal IT system.

“The Carnival breach is another reminder that social engineering continues to outperform many traditional security controls,” states Ensar Seker, CISO at SOCRadar. “Threat actors no longer need sophisticated zero-days when they can exploit human trust, impersonation, and operational pressure to gain legitimate access into enterprise environments. In large organizations with distributed workforces and complex third-party ecosystems, a single compromised employee account can quickly become an entry point into sensitive customer environments.”

Approximately 6 million customers have been impacted by the breach. 

“Nearly six million affected individuals means this is no longer just an operational security issue, it becomes a long-term identity and fraud risk problem,” says Seker. 

The organization has not yet confirmed impacted data, but according to an analysis by Have I Been Pwned, a data breach notification platform, compromised data includes but is not limited to: 

• Names
• Email addresses
• Birth dates
• Genders
• Loyalty program information 
• Geographic locations 

The analysis also stated that the compromised data involved 8.7 million records, including 7.5 million unique email addresses. 

“This is Carnival’s second major data breach of the 2020s,” points out Paul Bischoff, Consumer Privacy Advocate at Comparitech. “The company paid a $1.25 million settlement to victims of a 2020 data breach. The perpetrator in that case was never revealed. Carnival says an unauthorized user accessed employee emails and personal info. As part of that settlement, Carnival agreed to strengthen its email security and breach response practices. Clearly, the email security improvements weren’t enough. However, the company did disclose the breach in a much more timely manner this time around. It took nearly 10 months to report the 2020 breach, whereas this one appears to have been disclosed within one month.”

The organization operates nine cruise line brands: 

• Carnival Cruise Line
• Costa
• P&O Australia
• P&O Cruises
• Princess Cruises
• Holland American Line
• AIDA
• Cunard
• Seabourn

It also operates a travel tour company known as Holland America Princess Alaska Tours. 

Currently, the organization is working with third party experts to investigate and bolster security measures.