Carnival Cruise is notifying customers of a data breach that affected nearly 6 million individuals after its employee fell victim to a social engineering attack.
Carnival is the world’s largest cruise operator with over 90 ships, 13.5 million guests annually, 160,000 employees, and annual revenue of over $26 billion in 2025.
According to data breach notifications sent to impacted customers, Carnival detected unauthorized activity on an employee account on April 14, 2026. Further investigations determined that the threat actor had tricked the employee into granting the bad actor access to limited portions of the company’s IT infrastructure through social engineering.
Upon learning of the data breach, Carnival said it responded promptly by blocking the threat actor’s access and engaging experienced third-party cyber forensics to investigate the scope of the incident.
“We acted swiftly to block the unauthorized activity and immediately began working with third-party security experts to further strengthen our security and conduct a thorough investigation,” the company stated.
Carnival Cruise data breach affects nearly 6 million people
On April 22, 2026, the probe determined that the threat actor had illegally copied the personal information of 5,995,277 customers.
Carnival says that while the stolen information varied by individual, it included names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers, such as driver’s license numbers and passport numbers.
According to the data breach tracking platform Have I Been Pwned (HIBP), the stolen data also includes genders, geographic locations, and information related to the Mariner Society loyalty program run by Holland America.
HIBP also identified 7.5 million unique email addresses, which could represent the actual number of victims. However, Carnival is still working to determine the full scope of the data breach.
“Complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to, and then to ensure notifications are handled accurately,” the cruise operator stated.
Meanwhile, victims should be on the lookout for potential phishing attempts, as attackers could use the leaked data to lure them into disclosing more sensitive information, such as credit card details.
Carnival is also offering two years of complimentary credit monitoring via TransUnion to protect victims from fraud. Victims can also place fraud alerts to prevent cybercriminals from opening new credit lines. They should also monitor their financial and credit reports and notify relevant authorities of any suspicious activity.
Additionally, the company is taking additional steps to safeguard its systems and has enhanced its security controls and monitoring to prevent a similar data breach in the future.
Nevertheless, Carnival has experienced data breaches in the past. In 2021, the cruise operator experienced unauthorized access to the personal information of its guests, employees, and crew.
In 2019, Carnival also experienced a data breach affecting 180,000 customers and employees, resulting in a $1.25 million fine from privacy regulators over the company’s handling of the incident.
“The Carnival breach is another reminder that social engineering continues to outperform many traditional security controls,” said Ensar Seker, CISO at SOCRadar.
“Threat actors no longer need sophisticated zero-days when they can exploit human trust, impersonation, and operational pressure to gain legitimate access into enterprise environments. In large organizations with distributed workforces and complex third-party ecosystems, a single compromised employee account can quickly become an entry point into sensitive customer environments,” noted Seker. “What makes this incident especially significant is the scale and nature of the exposed data. Nearly six million affected individuals means this is no longer just an operational security issue, it becomes a long-term identity and fraud risk problem.”
ShinyHunters behind the Carnival data breach
Ransomware gang ShinyHunters has claimed responsibility for the Carnival data breach. The hacking group claims it stole over 8.7 million records of personal information and terabytes of corporate data.
“Over 8.7M records containing PII and other terabytes of internal corporate data have been compromised,” the group alleged.
Following its failed attempt to extort the cruise operator, ShinyHunters published the stolen data online for free to damage the company’s reputation.
