TL;DR: Carnival Corporation started notifying 5,995,277 customers on May 28 that their personal data was stolen in an April 10 breach. The stolen data includes passport numbers, driver’s license numbers, names, addresses, dates of birth, and loyalty program details. ShinyHunters (the same group behind the Canvas 275-million-student breach) claimed responsibility, saying they got 8.7 million records and terabytes of internal data via a social engineering attack on one employee. Carnival detected the breach four days later on April 14, confirmed data theft on April 22, then waited five more weeks before telling anyone. Three class action lawsuits were filed before victims even knew they were victims. Carnival is offering two years of TransUnion credit monitoring. Enrollment deadline: August 31, 2026.
Seven Weeks of Silence
Here’s what Carnival knew and when they knew it:
- April 10: An attacker social-engineered a Carnival employee, gaining access to internal systems [1].
- April 14: Carnival detected unauthorized activity in the compromised account. Four days after the breach started [1].
- April 18: ShinyHunters posted Carnival on their “pay or leak” portal with a deadline of April 21 [2].
- April 22: Carnival confirmed that data had actually been stolen, not just accessed [1].
- April 22–24: Three separate class action lawsuits were filed against Carnival [3].
- May 27–28: Carnival finally began notifying affected customers. Seven weeks after the breach. Five weeks after they knew data was gone [4].
Carnival’s explanation for the delay: “Complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to” [5].
Translation: figuring out exactly how bad it is takes longer than admitting it happened. Meanwhile, ShinyHunters had been sitting on (or selling) passport numbers for seven weeks before victims got a letter in the mail.
Passport Numbers. Driver’s Licenses. The Works.
The notification letters filed with the Maine Attorney General paint a clear picture of what walked out the door [4][5]:
- Full names
- Addresses
- Email addresses
- Phone numbers
- Dates of birth
- Driver’s license numbers
- Passport numbers
- Genders
- Loyalty program details (Holland America’s Mariner Society)
Credit card numbers and passwords don’t appear to be in the breach. Small comfort when someone has your passport number, full legal name, date of birth, and home address. That combination is the skeleton key for identity theft: enough to open bank accounts, file fraudulent tax returns, or create convincing phishing attacks tailored to you specifically.
ShinyHunters claims the haul is even bigger: 8.7 million records with 7.5 million unique email addresses, plus terabytes of internal corporate data [1]. Carnival’s official count to regulators is 5,995,277. That gap (2.7 million records) is either duplicate data or information Carnival hasn’t finished accounting for.
Social Engineering: The $0 Exploit
No zero-day vulnerability. No sophisticated malware. No supply chain compromise. ShinyHunters tricked one employee [1].
Carnival’s official statement: “An unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the Company’s IT system” [4].
“A limited portion” that happened to contain nearly six million customers’ passport numbers. If that’s limited, what does the unlimited portion look like?
Social engineering is the oldest trick in the book, and it keeps working because it targets the one vulnerability no patch can fix: human trust. But companies that handle passport data for millions of people are supposed to have layers of defense that make a single compromised account a containable problem, not a catastrophic one. Multifactor authentication. Access segmentation. Data encryption at rest. The kind of stuff Carnival was specifically called out for lacking after their last round of breaches [6].
ShinyHunters’ 2026 Rampage
Carnival isn’t an isolated incident. It’s a line item on ShinyHunters’ 2026 spreadsheet.
This is the same group that breached 400+ companies through Salesforce, hit 100+ companies via SSO campaigns, and stole data on 275 million students from Canvas LMS [3]. They posted Carnival alongside seven other companies on their extortion portal with a synchronized April 21 deadline, including 7-Eleven, Charter Communications, and Canada Life [2].
The FBI has been advising victims not to pay ShinyHunters’ ransom demands [1]. Whether Carnival paid is unknown. The company hasn’t publicly attributed the attack to ShinyHunters at all: a deliberate omission that lets them avoid acknowledging the extortion dimension in their regulatory filings.
Carnival’s Security Record: A Pattern, Not an Incident
This is at least the seventh known cybersecurity incident at Carnival Corporation since 2019:
- May 2019: Phishing and brute force on 124 employee email accounts [6].
- March 2020: Another breach exposing customer and employee data.
- August 2020: Ransomware encrypting systems and accessing data.
- December 2020: Malware hitting Costa Cruises on Christmas Day.
- January 2021: Another ransomware attack.
- March 2021: Phishing across Carnival, Holland America, and Princess.
- April 2026: ShinyHunters via social engineering. 5,995,277 affected.
New York’s Department of Financial Services fined Carnival $5 million after the 2019–2021 incidents. The DFS found the company had failed to implement multifactor authentication, took 10 months to report the first breach, and skipped adequate employee security training [6]. Carnival also settled with 45 state attorneys general for $1.25 million.
Total fines: $6.25 million. Carnival’s 2025 revenue: $25.02 billion. Those fines represent about 13 minutes of revenue. The cost of getting breached is still cheaper than the cost of real security investment. And so the cycle continues.
What to Do Right Now
Enroll in Credit Monitoring
Carnival is offering 24 months of free TransUnion monitoring. Use the activation code in your notification letter. Deadline: August 31, 2026. Don’t sit on it.
Freeze Your Credit
Credit monitoring tells you after someone opens an account in your name. A credit freeze prevents it. Free at all three bureaus: Equifax (1-888-298-0045), Experian (1-888-397-3742), TransUnion (1-888-909-8872). Five minutes each.
Watch for Targeted Phishing
Attackers now know your name, email, travel history, and loyalty status. Expect convincing emails about “booking updates,” “loyalty rewards,” or “security alerts.” Never click links in cruise-related emails. Go directly to carnival.com or hollandamerica.com instead.
Check Your Passport
If your passport number was exposed, monitor for unauthorized use. Report a compromised passport to the U.S. State Department at 1-877-487-2778. Consider renewing early if your passport is due within the next two years.
The Notification Delay Problem
Seven weeks between breach and notification isn’t unusual. It’s the norm. And that’s the problem.
While Carnival was “investigating,” ShinyHunters had seven weeks to sell, trade, or weaponize 6 million people’s passport numbers. Every day of delay is a day attackers have the data and victims don’t know to protect themselves. A credit freeze you set up on May 28 doesn’t help if someone opened an account in your name on April 15.
The EU’s GDPR requires breach notification within 72 hours. The U.S. has no federal standard. State laws vary from 30 to 90 days, and many have loopholes for “ongoing investigations.” Three class action lawsuits were filed against Carnival between April 22 and 24, more than a month before most victims knew they were affected [3].
Lawyers knew before passengers did. That tells you everything about whose interests the current notification system protects.
Sources
- BleepingComputer: “Carnival Cruise Confirms Data Breach Affecting Nearly 6 Million People” (May 2026)
- The Record: “Cruise Giant Carnival Confirms Data Breach Affecting Nearly 6 Million People” (May 2026)
- ClaimDepot: “Carnival Cruise Line Data Breach Lawsuit Investigation” (2026)
- Help Net Security: “Cybercriminals Sail Away With Data From 6 Million Carnival Customers” (May 2026)
- Malwarebytes: “Carnival Confirms Data Breach Impacting Nearly 6 Million” (May 2026)
- Cybersecurity Dive: “Carnival to Pay $5M for Cyber Violations to NY Financial Regulator”