Cyber Incident Victim: Carnival Corporation
Date:
Apr 2026
Location:
United States of America
Summary
Carnival Corporation reported a data breach resulting from a social engineering attack on a single employee account that gave an unauthorized actor access to a limited portion of its IT system. The incident exposed personal information of approximately six million individuals, including names, addresses, email addresses, phone numbers, dates of birth, and government‑issued identification numbers such as driver’s license and passport numbers. Data linked to the Holland America Mariner Society loyalty program was also compromised, comprising about 8.7 million records with 7.5 million unique email addresses. The extortion group ShinyHunters claimed responsibility, though the company has not confirmed the claim. In response, the company offered two years of complimentary credit monitoring through TransUnion to affected U.S. individuals and engaged third‑party security experts and law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Carnival Corporation reported that on April 14, 2026, an unauthorized actor gained access to a limited portion of its IT system through a social engineering attack that deceived a single employee. The company said it identified the breach in April, immediately blocked the malicious activity, engaged third‑party security experts, and alerted law enforcement. Carnival’s statement noted that the intrusion was confined to a specific user account and did not extend to the broader network. The firm said it launched an investigation to determine what information had been accessed. Prior to this incident, Carnival had disclosed breaches in March 2020 and June 2021 involving employee email accounts and ransomware events in August and December 2020 that exposed customer and employee data.
The data breach notice filed with the Maine Attorney General’s office indicated that 5,995,277 individuals had personal information compromised, while the Texas Attorney General’s Office noted that more than 800,000 Texans were affected. Carnival said the exposed data included names, addresses, email addresses, phone numbers, dates of birth, and government‑issued identification numbers such as driver’s license and passport numbers. Analysis by Have I Been Pwned of data linked to the breach showed 8.7 million records containing 7.5 million unique email addresses associated with Holland America’s Mariner Society loyalty program, which also included names, dates of birth, genders, geographic locations, salutations, and loyalty program details. The extortion group ShinyHunters claimed responsibility for the attack in April 2026, although Carnival has not publicly confirmed the claim. The company stated that it is conducting a thorough analysis to confirm the exact categories of data that were accessed.
In response, Carnival began sending notification letters to affected individuals and posted an online notice for those who could not be reached directly. The company offered two years of complimentary credit monitoring through TransUnion to eligible U.S. individuals impacted by the breach. Carnival said it added new layers of security and monitoring on top of existing protections and would continue advancing its defenses against evolving threats. The firm also indicated that it would keep law enforcement engaged and cooperate with ongoing investigations. No further details about the attacker’s methods or any potential misuse of the data were disclosed in the statements.