Carnival Data Breach: 6M Customers Exposed in Social Engineering Attac

Cruise Giant Discloses Major Data Breach Affecting Close to Six Million U.S. Customers

Carnival Corporation, the world’s largest cruise operator, has confirmed that a data breach occurring in April compromised the personal information of 5,995,277 U.S. customers, after a hacker used social engineering tactics to deceive an employee into granting access to a portion of the company’s IT infrastructure.

The company began notifying affected individuals by email on May 27 — a delay that has drawn sharp criticism from customers on online forums, who questioned why weeks passed before they were informed their data had been exposed.

What Data Was Compromised

The breach exposed a broad range of sensitive personal information, though the specific data varied by individual. Affected records include:

The combination of identity documents and contact details creates significant risk of identity theft and targeted fraud for those affected.

A Known Extortion Group Claims Responsibility

Carnival has not publicly identified the attacker. However, cybersecurity outlet Security Week reported that ShinyHunters — an extortion collective with a documented history of large-scale data theft — has claimed responsibility for the intrusion.

The attack vector, social engineering, involves manipulating employees rather than exploiting technical vulnerabilities directly, making it one of the most difficult threat categories for corporations to defend against.

Carnival Offers Two Years of Credit Monitoring

As part of its breach response, Carnival is offering two years of complimentary credit monitoring to all affected U.S. customers. The company has not disclosed whether customers outside the United States were also impacted.

Carnival Corporation operates nine cruise line brands globally, including Carnival Cruise Line, Princess Cruises, and Holland America Line, giving the breach potential implications across a wide international customer base.