Carnival breach exposes data of nearly 6 million people

Nearly 6 million Carnival customers may face phishing and identity theft risks after attackers stole personal data through a socially engineered employee account.

Carnival confirms stolen customer data

Carnival Corporation has started notifying 5,995,277 people after a cybersecurity incident exposed personal information tied to the cruise operator and its brands. The company says it detected the activity on April 14 after attackers used social engineering to compromise an employee account and access internal systems.

The information varies by person but may include names, addresses, dates of birth, email addresses, phone numbers and government-issued identification numbers. Carnival is offering affected individuals 24 months of credit monitoring, according to its filing with the Maine Attorney General’s Office.

ShinyHunters claimed larger leak

The breach had already surfaced in April, when the ShinyHunters extortion group claimed it had stolen 8.7 million Carnival records and then published the data. Have I Been Pwned said the exposed dataset contained 7.5 million unique email addresses and appeared linked to Holland America Line’s Mariner Society loyalty program.

That dataset reportedly included names, email addresses, dates of birth, gender, geographic locations and loyalty program details. Carnival has not publicly confirmed all the hackers’ claims, but the company’s notification confirms that personal data was stolen.

What Carnival customers should do

Anyone who receives a breach notice should sign up for the free credit monitoring, watch for new-account fraud and review bank, credit card and loyalty accounts for suspicious activity. Because the exposed data can help criminals craft convincing messages, cruise-related emails, refund offers, booking alerts and loyalty program notices should be treated cautiously.

Affected customers should also consider using a digital identity monitoring service to track where their personal information appears online. Bitdefender Digital Identity Protection can help users monitor exposed personal data on both public and dark web, receive alerts when their information is leaked in breaches, and take faster action before leaked details are abused.