Key facts
- Carnival Corporation experienced a data breach affecting 5,995,277 individuals.
- The breach resulted from a social engineering attack on a single user account.
- Exposed data includes names, addresses, email, phone numbers, dates of birth, and government IDs.
- The incident may impact customers of Carnival-owned brands like Holland America.
- Carnival is offering two years of complimentary credit monitoring to eligible U.S. individuals.
Carnival Corporation has confirmed a data breach that compromised the personal information of nearly 6 million individuals. The incident originated from a social engineering attack that targeted a single user account within the company's IT system. Upon detecting the unauthorized access, Carnival states it immediately blocked the activity, engaged third-party security experts, and notified law enforcement. An investigation revealed that certain personal information was illegally accessed. The company is in the process of notifying affected individuals. The data potentially exposed varies by person but includes names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as driver's licenses and passport numbers. Data analyzed by Have I Been Pwned, attributed to the group ShinyHunters, reportedly contained 8.7 million records with 7.5 million unique email addresses, linked to Holland America's Mariner Society loyalty program. This suggests that individuals who are customers of Carnival-owned brands, even if not directly of Carnival itself, may be affected. The stolen data can be used by scammers to craft more believable phishing attempts, mentioning details like loyalty points, upcoming trips, or cabin upgrades to trick individuals into clicking malicious links or divulging further information. ShinyHunters has a history of data theft and extortion, and the FBI advises against paying ransom demands. Carnival has a history of cybersecurity incidents, including breaches in 2020 and 2021 involving employee email accounts and ransomware attacks that exposed customer and employee data. To protect themselves, individuals are advised to read breach notices carefully, use strong, unique passwords with a password manager, enable two-factor authentication, be suspicious of unsolicited messages, use antivirus software, keep systems updated, and consider credit freezes. Carnival is offering two years of complimentary credit monitoring to eligible U.S. individuals.