Carnival Corporation breach affects 6 million: What you need to know

internal IT security team identified anomalous and unauthorized activity originating from a compromised employee account. Immediate diagnostic protocols revealed that a threat actor had deployed a highly targeted social engineering scheme—specifically, a deceptive phishing campaign—to bypass initial perimeter controls and trick an employee into relinquishing valid access credentials.

Upon identifying the breach, Carnival’s cybersecurity team revoked the compromised account’s privileges, blocked the malicious activity, and isolated the affected network segments. The company engaged third-party cybersecurity forensics firms to assess the extent of the lateral movement within their systems. However, before the unauthorized session was terminated, the damage had already been done. On April 22, 2026, the forensic team determined that the cybercriminals had successfully accessed, aggregated, and illegally copied a substantial volume of files containing personal records from a limited portion of the enterprise’s internal IT architecture.

Despite establishing the loss of sensitive data in late April, Carnival did not begin its massive notification campaign until May 27, 2026—a 43-day gap from the initial discovery. In its regulatory filing with the Maine Attorney General, Carnival confirmed that a total of 5,995,277 individuals were affected globally, including 9,746 residents of Maine. This significant latency between detection and public notification has drawn sharp criticism from consumer advocacy groups and has become a primary focal point for the legal actions currently mounting against the cruise giant.

The Threat Actor Profile: ShinyHunters and the Extortion