Carnival Says Cyberattack Exposed Personal Data of Nearly 6 Million Passengers

Carnival Corporation, a large cruise operator, has confirmed that a cyberattack has exposed approximately 6 million individuals’ personal information. This happened as a result of a social engineering attack on one of their workers. 

Details of the Data Breach

From what Carnival’s saying, the breach kicked off on April 10 after a hacker used a social engineering ploy to trick an employee into granting them remote access. The company noticed that something was wrong by April 14, and they acted fast to lock things down. They even hired outside help. But the damage had already occurred. By April 22, they knew the bad actors had copied personal files.

Carnival began notifying individuals about the breach on May 27. In total, approximately 5,995,277 individuals have been affected by the breach. Among that number, 9,746 reside in Maine and environs. Carnival is giving free credit monitoring for two years through TransUnion. That’s the least they can do for the victims.

What Info Got Stolen?

A hacker group called ShinyHunters took credit for this mess. They claim to have walked away with over 8.7 million records. They also say they grabbed terabytes of company files.

A service called “Have I Been Pwned” looked at the leaked data. Here is what they found. Your name is out there. So is your birthday and email address. The thieves also got your gender, where you live, and your loyalty program details.

The info came from the Mariner Society program. The loyalty program associated with Holland America (a brand owned by Carnival) was potentially breached. Customers who hold loyalty points or status with Holland America might be part of the victims in this incident.

Carnival’s Previous Data Breach Woes

Sadly, this is becoming a pattern. Carnival has suffered a breach many times before, in March 2020 and in June the following year. Hackers broke into employee email accounts back then. Both employees’ personal information and customer financial information were compromised in this breach.

In addition, ransomware groups attacked Carnival multiple times – once in August 2020 and again in December 2020.  They grabbed customer and employee info too. So this new breach is more of the same. It’s a rough pattern for a company this big.

Though Carnival has not said who is responsible for the latest attack, ShinyHunters have come forward to claim they did it sometime in April. This hacker group has been busy these days. They’ve been going after Salesforce customers since last year and claim to have stolen billions of records. Their big hits include the Salesloft Drift and Salesforce Aura attacks.

ShinyHunters’ latest known target is Marcus & Millichap. The group reportedly breached the real estate firm, exposing 1.8 million records, adding to their growing list of victims.

The FBI has some advice for victims. Do not pay the ransom. They said this just two weeks ago. Paying doesn’t stop the hackers. They might sell your data anyway. Or they could come back and ask for more money.

Recommended Actionable Plan

With over 160,000 employees, Carnival is the World’s largest cruise company. In 2024, they provided service to 13.5 million customers. Their fleet of ships, which comes out to a total of 90 ships, operates under nine different brands; these brands include Princess, Cunard, and Costa.

If you’ve ever sailed with any of these brands, keep an eye on your email. Carnival is sending out notices. But be smart. Scammers will use this news to trick you. They’ll send fake emails that look real.

Change your Carnival passwords. Watch your bank accounts. And never click a link in an email you didn’t expect. Free credit monitoring helps a little. But staying alert helps a lot more.