Carnival Corporation has begun notifying roughly six million individuals that their personal information was stolen in the cyberattack claimed by the ShinyHunters extortion group earlier this year.
The disclosure follows the public leak of data allegedly containing 8.7 million records tied to Carnival-owned cruise brands, including Holland America Line.
The notification campaign confirms for the first time that the incident involved the theft of customer data, after Carnival initially described the breach in April as suspicious activity linked to a phishing attack targeting a single employee account.
According to a notification letter sent to customers on May 27, 2026, Carnival says its security team detected unauthorized activity on April 14, 2026, after a threat actor used “social engineering to deceive an employee” and gain access to a “limited portion” of the company’s IT environment. The company says it blocked the activity and launched an investigation with outside cybersecurity experts.
Carnival states that it later determined on April 22 that the attackers had copied personal information from company systems. The company disclosed the exact number of affected individuals to US authorities, setting it at approximately 6 million.
The cruise giant is offering affected individuals 24 months of TransUnion credit monitoring and identity protection services.
CyberInsider first reported the incident on April 19 after ShinyHunters added Carnival Corporation to its extortion portal and claimed to have stolen over 8.7 million records containing personally identifiable information and internal company data. At the time, the threat actor warned that the information would be leaked if Carnival did not engage before an April 21 deadline.
After our reporting, the group followed through and publicly released the stolen dataset.
The breach was subsequently added to Have I Been Pwned (HIBP), which analyzed the leaked files and determined they contained approximately 7.5 million unique email addresses. HIBP stated the exposed data included names, dates of birth, gender information, geographic locations, and loyalty program details associated with Holland America’s Mariner Society program.
Analysis of the leaked records indicates they may have primarily originated from Holland America Line, one of several major cruise brands operated by Carnival Corporation. The company oversees a global portfolio that includes Carnival Cruise Line, Princess Cruises, Cunard, Seabourn, Costa Cruises, and Holland America Line, serving millions of passengers annually across multiple regions.
In the notification letter, Carnival says the attackers obtained varying categories of personal information depending on the individual impacted. Based on the leaked dataset previously reviewed by HIBP, exposed information may include names, birth dates, gender details, email addresses, geographic data, salutations, and cruise loyalty program status information.
Although the leaked data does not currently appear to include payment card information or passwords, it could still be used in targeted phishing attacks, identity fraud, or social engineering campaigns impersonating Carnival brands or travel partners.
Affected individuals should remain alert for suspicious emails, cruise-related scams, and fraudulent loyalty program communications. Carnival recommends monitoring account statements and credit reports for unauthorized activity. Users should also consider enabling fraud alerts or security freezes with the major credit bureaus and avoid opening unsolicited attachments or links claiming to relate to cruise bookings, refunds, or loyalty rewards.
Leave a Reply