Overview
- Carnival detected unauthorized activity tied to an employee account on April 14, 2026 and began notifying affected people by mail on May 27, 2026.
- The company told regulators that 5,995,277 people had personal information copied, with files varying by person and including names, contact details, dates of birth and passport or driver’s license numbers.
- The ShinyHunters extortion group claimed responsibility and published a larger dataset that outside analysts say contains roughly 7.5–8.7 million records, producing a gap between the group’s claim and Carnival’s official count.
- Security researchers say the attack used social engineering against a supply‑chain or third‑party account to harvest SSO/MFA credentials and access connected SaaS systems, a technique linked to prior ShinyHunters campaigns.
- Carnival says it blocked the intrusion, engaged outside security experts, has strengthened monitoring, and is offering eligible U.S. residents 24 months of TransUnion credit monitoring while investigations and file‑by‑file analysis continue.