Carnival Corporation, the world’s largest cruise ship operator, has confirmed an extensive data breach in the wake of an April 2026 system compromise claimed by the now-infamous ShinyHunters cyber gang.
As is typical of incidents attributed to ShinyHunters, the attack appears to have stemmed from inside Carnival’s supply chain, involving a successful phishing attempt against a third-party account with access to the victims’ systems.
According to HaveIBeenPwned, this enabled the hackers to steal almost millions of data records linked to holidaymakers who had voyaged with Carnival’s Holland America brand, including names, dates of birth, gender and loyalty programme status. Carnival has now added contact details and driving licence and passport data to this list. Almost six million individuals are thought to be affected.
In a disclosure notice, the company claimed: “Carnival Corporation values the trust you place in us, and we take the privacy and security of your information very seriously … We deeply regret this incident and any concern it may cause, and have sent notification letters to individuals whose data was impacted.”
Serial cyber attack victim Carnival suffered three incidents – a data breach and two distinct ransomware attacks – in quick succession in 2020, followed by a fourth cyber breach in early 2021.
“In addition to the comprehensive security measures our company had in place prior to the incident, we have taken steps to further safeguard our systems, including enhancing our security and monitoring controls,” said Carnival, which has also committed to offering affected US residents two years of free credit monitoring services.
“Our company will continue to advance our IT security and data privacy controls to stay ahead of an ever-evolving threat landscape,” the firm added.
Muhammad Yahya Patel, virtual chief cyber security officer (vCISO) and cyber security advisor for EMEA at Huntress, said the pattern of a ShinyHunters breach should feel uncomfortably familiar by now.
“Nearly six million people; one social engineering technique,” he said. “That’s the Carnival breach in its simplest form … ShinyHunters didn’t need a zero-day or a sophisticated exploit to breach the world’s largest cruise operator. Their playbook is well-documented: voice phishing to extract single sign on (SSO) credentials and multi-factor authentication (MFA) codes from employees by impersonating IT staff, followed by systematic access to connected SaaS [software as a service] environments to exfiltrate data at scale. The same technique. The same result. A different logo on the breach notification letter.”
The hospitality and travel industry is acutely vulnerable to cyber attacks thanks to high levels of staff turnover, geographically dispersed operations, heavy reliance on customer-facing systems, and a need to move fast to get things done. Add to this the vast amount of valuable customer data – a “ready-made targeting kit”, noted Patel – that organisations like Carnival hold, and it is easy to see how such breaches occur.
RedFlags CEO and co-founder Tim Ward said the latest Carnival incident showed that many companies are not yet considering the need to address supply chain threats from the inside out.
“Organisations need to start thinking seriously about … how to meet people where they actually are: inside their workflows, at the point of risk, with guidance and support that helps them make the right call in real time,” he said.
“Security needs to be something that works with people, not something done to them once a quarter in a tick-box exercise. Until we shift from compliance-driven awareness to genuinely embedding security into the moments that matter, social engineering will keep being the easiest door into even the largest organisations in the world.”
Next steps
Huntress’ Patel laid out the next steps for security leaders. “First, your help desk verification process is a primary attack surface right now,” he said. “If employees can be persuaded to hand over MFA codes by a confident caller, your entire identity security investment is undermined at the human layer.
“Second, ShinyHunters uses SSO access as a gateway to every connected SaaS application behind it,” said Patel. “Audit your OAuth tokens, review third-party SaaS access, and monitor for unusual activity in connected platforms.
“Third, the question is no longer whether you’ll be targeted using these techniques,” he added. “It’s about whether your people would recognise the call, whether your processes make compliance hard, and whether your detection catches what follows.
“If any of those answers are uncertain, then you need to address them now,” said Patel.
