Carnival Corporation confirmed a data breach after the ShinyHunters ransomware group claimed responsibility in April 2026. The incident stemmed from a social engineering attack targeting an employee device, which allowed the attacker to access part of the company’s internal IT system. Approximately six million customers were impacted. The breach creates identity and fraud risk because affected individuals may face long-term consequences. Carnival has not confirmed what data was compromised, but Have I Been Pwned analysis indicated compromised data includes records such as 8.7 million total records and 7.5 million unique email addresses. The breach is described as the company’s second major data breach of the 2020s, following a 2020 incident that led to a $1.25 million settlement and email security improvements.
"Carnival Corporation has confirmed it experienced a data breach after the the ShinyHunters ransomware group claimed responsibility for an attack in April 2026. The incident was caused by a social engineering attack targeting an employee device, enabling the malicious actor to gain access to a portion of the company's internal IT system . Approximately 6 million customers have been impacted by the breach."
""The Carnival breach is another reminder that social engineering continues to outperform many traditional security controls," states Ensar Seker, CISO at SOCRadar. "Threat actors no longer need sophisticated zero-days when they can exploit human trust, impersonation, and operational pressure to gain legitimate access into enterprise environments. In large organizations with distributed workforces and complex third-party ecosystems, a single compromised employee account can quickly become an entry point into sensitive customer environments.""
""Nearly six million affected individuals means this is no longer just an operational security issue, it becomes a long-term identity and fraud risk problem," says Seker. The organization has not yet confirmed impacted data, but according to an analysis by Have I Been Pwned, a data breach notification platform, compromised data includes but is not limited to: The analysis also stated that the compromised data involved 8.7 million records, including 7.5 million unique email addresses."
""This is Carnival's second major data breach of the 2020s," points out Paul Bischoff, Consumer Privacy Advocate at Comparitech. "The company paid a $1.25 million settlement to victims of a 2020 data breach. The perpetrator in that case was never revealed. Carnival says an unauthorized user accessed employee emails and personal info. As part of that settlement, Carnival agreed to strengthen its email security and breach response practices. Clearly, the email security improvements weren't enough."
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]