CARNIVAL Corporation reported a data breach affecting nearly 6 million individuals due to a social engineering attack that compromised an employee's account. The attacker accessed internal IT systems from April 14 to April 22, 2026, and copied personal data including names, email addresses, and birth dates. This incident adds to Carnival's history of multiple breaches and ransomware incidents over the past decade.
The breach was claimed by the extortion group ShinyHunters, which has a history of selling stolen data. In response, Carnival is offering 24-month credit monitoring to those affected and warns that the stolen data could be used for identity theft or fraudulent activities.