Carnival cruise line confirmed as newest ShinyHunters sufferer

Carnival Company, the world’s largest cruise ship operator, has confirmed an intensive knowledge breach within the wake of an April 2026 system compromise claimed by the now-infamous ShinyHunters cyber gang.

As is typical of incidents attributed to ShinyHunters, the assault seems to have stemmed from inside Carnival’s provide chain, involving a profitable phishing try in opposition to a third-party account with entry to the victims’ programs.

Based on HaveIBeenPwned, this enabled the hackers to steal nearly hundreds of thousands of information information linked to holidaymakers who had voyaged with Carnival’s Holland America model, together with names, dates of delivery, gender and loyalty programme standing. Carnival has now added contact particulars and driving licence and passport knowledge to this listing. Virtually six million people are regarded as affected.

In a disclosure discover, the corporate claimed: “Carnival Company values the belief you place in us, and we take the privateness and safety of your info very significantly … We deeply remorse this incident and any concern it might trigger, and have despatched notification letters to people whose knowledge was impacted.”

Serial cyber assault sufferer Carnival suffered three incidents – an information breach and two distinct ransomware assaults – in fast succession in 2020, adopted by a fourth cyber breach in early 2021.

“Along with the great safety measures our firm had in place previous to the incident, we’ve taken steps to additional safeguard our programs, together with enhancing our safety and monitoring controls,” mentioned Carnival, which has additionally dedicated to providing affected US residents two years of free credit score monitoring providers.

“Our firm will proceed to advance our IT safety and knowledge privateness controls to remain forward of an ever-evolving menace panorama,” the agency added.

Muhammad Yahya Patel, digital chief cyber safety officer (vCISO) and cyber safety advisor for EMEA at Huntress, mentioned the sample of a ShinyHunters breach ought to really feel uncomfortably acquainted by now.

“Almost six million individuals; one social engineering approach,” he mentioned. “That’s the Carnival breach in its easiest type … ShinyHunters didn’t want a zero-day or a classy exploit to breach the world’s largest cruise operator. Their playbook is well-documented: voice phishing to extract single signal on (SSO) credentials and multi-factor authentication (MFA) codes from staff by impersonating IT workers, adopted by systematic entry to related SaaS [software as a service] environments to exfiltrate knowledge at scale. The identical approach. The identical consequence. A special emblem on the breach notification letter.”

The hospitality and journey business is acutely weak to cyber assaults due to excessive ranges of workers turnover, geographically dispersed operations, heavy reliance on customer-facing programs, and a necessity to maneuver quick to get issues carried out. Add to this the huge quantity of worthwhile buyer knowledge – a “ready-made concentrating on equipment”, famous Patel – that organisations like Carnival maintain, and it’s simple to see how such breaches happen.

RedFlags CEO and co-founder Tim Ward mentioned the most recent Carnival incident confirmed that many corporations will not be but contemplating the necessity to deal with provide chain threats from the within out.

“Organisations want to begin pondering significantly about … easy methods to meet individuals the place they really are: inside their workflows, on the level of danger, with steerage and assist that helps them make the fitting name in actual time,” he mentioned.

“Safety must be one thing that works with individuals, not one thing carried out to them as soon as 1 / 4 in a tick-box train. Till we shift from compliance-driven consciousness to genuinely embedding safety into the moments that matter, social engineering will hold being the best door into even the biggest organisations on the earth.”