Cruise giant Carnival confirms data breach affecting nearly 6 million people

Cruise operator Carnival confirmed on Wednesday that hackers stole personal information, including passport and driver's license details, in an April cyberattack claimed by the ShinyHunters hacking group.

The company said the threat actor gained access to a limited portion of its IT environment last month after compromising an employee account. By the end of April, Carnival determined that the attacker had copied personal information from its systems.

The stolen data varies by individual but includes names, addresses, email addresses, phone numbers, dates of birth, driver's license numbers and passport numbers, according to the company.

Carnival did not disclose how many people were affected. However, a filing with Maine's attorney general's office indicates that nearly 6 million individuals may have had their information exposed.

"We acted swiftly to block the unauthorized activity and immediately began working with third-party security experts to further strengthen our security and conduct a thorough investigation," Carnival said in a statement.

Carnival, one of the world's largest cruise operators, owns brands including Princess Cruises, Holland America Line, Cunard and Costa Cruises. The company operates more than 90 ships worldwide and serves millions of passengers annually.

In April, ShinyHunters claimed it had obtained a large volume of Carnival data and attempted to extort the company to prevent the information from being published. The group eventually released what it said were 8.7 million records on its leak site, including data allegedly tied to the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands.

At the time, Carnival acknowledged a phishing incident involving a single user account and said it was investigating the scope of the unauthorized activity. The company has not publicly attributed the attack to ShinyHunters.

"Complex incidents like this take time and careful investigation to understand what information was affected and who it belongs to, and then to ensure notifications are handled accurately," Carnival said on Wednesday, explaining why it took a month to publicly confirm the breach.

ShinyHunters is known for high-profile data theft and extortion campaigns targeting large organizations. Earlier this year, the FBI warned that hackers linked to ShinyHunters were demanding substantial ransom payments from companies after stealing data through compromises involving Salesforce environments. The group has also recently claimed responsibility for a breach at analytics company Mixpanel.

In 2019, Carnival disclosed a data breach involving employee email accounts that exposed information belonging to approximately 180,000 customers and employees. Regulators later fined Carnival $1.25 million over its handling of the incident. The company also reported another breach in 2021 involving unauthorized access to a limited number of email accounts.