Global cruise operator Carnival Corporation is facing a major cybersecurity crisis after a large-scale data breach exposed personal information belonging to nearly six million customers, including passengers from New Zealand and several other countries. Investigators said the breach was linked to a social engineering attack in which a cybercriminal allegedly deceived an employee to gain access to part of the company’s IT infrastructure.
According to disclosures filed with authorities, the breach impacted approximately 5.99 million individuals. Exposed information reportedly included names, email addresses, phone numbers, dates of birth, and government-issued identification details such as passport and driver’s licence information.
Social Engineering Attack Breached Internal Systems
Carnival stated that the cybersecurity incident was first detected after an unauthorised actor allegedly manipulated an employee into granting access to a limited portion of the company’s IT systems. The company said it blocked the suspicious activity and launched an internal investigation with external cybersecurity experts.
Investigators believe the attack involved phishing or credential manipulation tactics commonly used in large-scale corporate breaches. Cybersecurity researchers noted that the incident highlights the increasing use of social engineering attacks targeting employees rather than direct technical exploitation of systems.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Authorities are still examining the full scope of the compromised data and whether additional customer records may have been exposed during the breach.
ShinyHunters Group Allegedly Linked to Breach
Cybersecurity reports indicated that the hacking collective “ShinyHunters” claimed responsibility for stealing the data and later allegedly leaked portions of the information online after ransom negotiations reportedly failed. Researchers said the leaked dataset allegedly contained millions of customer records connected to Carnival’s cruise operations and loyalty program systems.
According to cybersecurity tracking platforms, the exposed information allegedly included customer names, email addresses, dates of birth, gender details, and loyalty membership information associated with Carnival-linked cruise brands.
The company has not publicly confirmed the full extent of the leaked dataset but acknowledged that sensitive personal information was illegally accessed during the incident.
Millions of Customers Across Multiple Countries Affected
Carnival Corporation operates several major cruise brands, including Carnival Cruise Line, Princess Cruises, Holland America Line, and other international cruise services. The company reportedly serves more than 13 million passengers annually across its global fleet.
Officials said affected passengers from multiple countries, including New Zealand, may receive breach notification emails and support guidance from the company. Carnival stated it is offering eligible U.S. customers two years of complimentary credit monitoring services through TransUnion.
Cybersecurity experts warned that compromised identity information could potentially be misused in phishing campaigns, identity fraud, and financial scams.
Cruise Industry Cybersecurity Under Fresh Scrutiny
The incident has renewed concerns over cybersecurity preparedness within the global travel and hospitality sector, which increasingly stores large volumes of passenger identity and payment information.
Researchers noted that Carnival has previously faced cybersecurity incidents involving ransomware and unauthorised system access. Experts warned that travel companies remain attractive targets for cybercriminal groups due to the scale of personal and financial data stored in reservation and loyalty systems.
Authorities and cybersecurity analysts continue to monitor whether additional leaked data from the breach may surface online in the coming weeks.
