What Happened

On April 10, 2026, someone tricked a Carnival Corporation employee into handing over access to company IT systems. Classic social engineering — no fancy exploit, just human error.

Carnival's IT security team caught the unauthorized activity on April 14, according to BleepingComputer. Four days later, they were already locked out. But it took until April 22 for Carnival to confirm that personal data had actually been copied.

Then it took over a month more — until May 27 — to notify the nearly 6 million people whose information was stolen.

Who Got Exposed

According to Carnival's official breach notification filed with the Maine Attorney General, the compromised data includes:

• Names
• Residential and email addresses
• Phone numbers
• Dates of birth
• Driver's license numbers
• Passport numbers
• Loyalty program membership details

The breach hit Holland America's Mariner Society loyalty program hard, according to data breach notification service Have I Been Pwned, which analyzed the leaked data. Carnival's VIFP frequent cruiser program members were also exposed, per analysis cited by Nomad Lawyer.

The good news, if you can call it that: CyberInsider analysis indicates credit card numbers and passwords do NOT appear to have been stolen. Small mercy.

Who Did This

The ShinyHunters extortion gang claimed responsibility in April. This isn't some amateur operation. Over the past year, ShinyHunters has targeted Salesforce customers and breached hundreds of companies worldwide, per BleepingComputer, claiming billions of stolen records across multiple campaigns.

ShinyHunters says they grabbed 8.7 million records and terabytes of internal corporate data. Carnival's official count is 5,995,277 affected individuals. That gap — nearly 3 million records — hasn't been explained publicly. Either ShinyHunters is inflating numbers for leverage, or Carnival is undercounting. Neither answer is reassuring.

Carnival has NOT formally attributed the attack to ShinyHunters in its official statements. A Carnival spokesperson did NOT respond to BleepingComputer's requests for comment on that question.

The Timeline Problem

Breach occurred: April 10. Unauthorized activity detected: April 14. Data theft confirmed: April 22. Customers notified: May 27.

That's 47 days between the breach and customer notification. Nearly seven weeks for people with exposed passport numbers and driver's license information to be walking around with zero idea their identity was at risk.

Three separate lawsuits were already filed against Carnival by late April, alleging negligence in safeguarding customer data, according to Nomad Lawyer. The lawyers moved faster than Carnival's notification process.

Carnival's History

Carnival Corporation — which operates nine cruise lines including Princess Cruises, Holland America, Cunard, and AIDA, among others — has experienced security incidents before. This is a company pulling in $26 billion in annual revenue with over 160,000 employees and 90-plus ships. They have the resources to build serious cybersecurity infrastructure.

Yet a single employee getting socially engineered compromised the data of 6 million customers. Social engineering attacks are preventable through basic security training and multi-factor authentication protocols. The question is why a company of this scale remains vulnerable to such attacks.

What Carnival Is Offering

Free credit monitoring services. That's the response.

If you're one of the nearly 6 million affected, watch for a notification letter from Carnival. Enroll in the credit monitoring they're offering immediately.

If your passport number was exposed, be aware that it can be used in identity fraud. Monitor your financial accounts. Consider a fraud alert or credit freeze with the three major bureaus — Equifax, Experian, and TransUnion.

What the Media Is Getting Wrong

Most coverage is treating this as routine. Passport numbers and driver's license numbers in criminal hands represents a serious identity theft scenario — not just a spam email problem. The combination of government ID data, dates of birth, home addresses, and loyalty program details gives bad actors everything they need to impersonate victims.

Fox News flagged the credit monitoring offer. Lifehacker gave solid consumer advice. BleepingComputer did the best technical reporting, tracking ShinyHunters' specific claims and getting Have I Been Pwned to analyze the leaked data. Nomad Lawyer dug into the legal exposure and the actual scope of compromised data types.

A $26 billion company's security posture crumbled because one employee got deceived. That deserves scrutiny.

The Bottom Line

If you've cruised with Carnival, Holland America, Princess, Cunard, or any of their nine brands in recent years, your data may be on a criminal marketplace right now.

Carnival sat on this for 47 days before telling customers. Three lawsuits are already filed. The hackers are claiming they obtained even more than Carnival admits.

Free credit monitoring is the bare minimum response to having your passport number stolen. Check your credit reports today.