Cruise operator Carnival Corporation has confirmed a major data breach affecting nearly six million individuals after attackers gained access to customer information through a compromised employee account.
The company disclosed that the intrusion occurred in April 2026 after cybercriminals used social engineering tactics to deceive an employee and obtain unauthorized access to internal systems. Carnival said the suspicious activity was quickly blocked after detection and external cybersecurity specialists were brought in to investigate the incident.
According to breach tracking reports and leaked datasets reviewed by researchers, the incident may have exposed information tied to approximately 5.5 million to 7.5 million individuals connected to Carnival brands and loyalty programs.
The compromised data reportedly includes names, email addresses, dates of birth, genders, geographic locations, and loyalty program information connected to Holland America Line’s Mariner Society program. Some reports also indicate that government-issued identification numbers and addresses may have been accessed during the breach.
Researchers and breach monitoring services linked the incident to the cybercrime group ShinyHunters, an extortion collective known for targeting cloud services, single sign-on platforms, and enterprise customer databases. The group allegedly attempted to extort Carnival before portions of the stolen data were leaked online.
Carnival has not publicly attributed the attack to a specific threat actor. However, the incident follows a growing wave of breaches tied to ShinyHunters targeting large corporations throughout 2026, including telecommunications firms, hospitality companies, retailers, and education platforms.
The breach is not the first cybersecurity incident involving Carnival. The company previously disclosed ransomware attacks and data breaches in 2020 and 2021 that exposed customer, employee, and crew information across several cruise brands.
Carnival operates multiple global cruise lines including Carnival Cruise Line, Princess Cruises, Holland America Line, Cunard, Costa Cruises, AIDA Cruises, Seabourn, and P&O Cruises. The company serves millions of passengers annually and maintains large databases containing travel, booking, and loyalty program information.
The company said its ongoing investigation has not identified unauthorized access to payment card systems or operational ship systems. Carnival also stated it is continuing to review the scope of affected data and notify impacted individuals where required by law.