Carnival Corporation Is Investigating a Massive Data Breach — And Cruise Guests Could Be Affected

If you have ever sailed with Carnival Corporation — or earned points through Holland America’s Mariner Society loyalty program — there is something important you need to know right now.

According to a report published this week by Cruise Radio, Carnival Corporation is actively investigating a potential data breach after a well-known hacking group claimed to have stolen more than 8.7 million records from the company’s systems. The group has already released the data publicly, and security researchers say it appears to be legitimate.

This is not a drill — and it is not a small story.

What Happened

The threat actor behind this incident is a group called ShinyHunters, which has previously targeted companies including Microsoft, Pizza Hut, and several major universities. On April 18, 2026, ShinyHunters listed Carnival Corporation on their so-called “pay or leak” extortion portal, claiming they had stolen over 8.7 million records containing personally identifiable information and internal corporate data.

The group set a deadline of April 21 for Carnival to respond. When that deadline passed, they made good on their threat and published the data publicly.

What Data Was Exposed

This is where it gets personal for a lot of cruisers.

The leaked data has been analyzed by security researchers, and the fields in the records strongly suggest the information came from Holland America Line’s Mariner Society loyalty program. The exposed data includes names, dates of birth, genders, and loyalty status information — along with approximately 7.5 million unique email addresses out of the 8.7 million total records.

Carnival Corporation confirmed that it detected suspicious activity tied to a phishing incident involving a single user account, and stated that it “acted quickly to shut it down and block any further unauthorized access” and has notified law enforcement. The company is working with external security experts to assess the full scope of the incident and has pledged to notify affected individuals if personal information is confirmed to have been compromised.

That said, the data is already publicly available. The breach has been indexed by Have I Been Pwned, the well-known data breach notification service, which means the exposure is verified.

Why This Matters for Cruise Travelers

A loyalty program breach is particularly significant for cruise guests because these programs store years of accumulated personal history — your travel patterns, contact details, and status information. While the data that appears to have been exposed does not include financial information or passport numbers, the combination of name, email address, date of birth, and loyalty status is more than enough for sophisticated phishing attacks and identity-related fraud.

In other words, the risk does not end with the breach itself. The more immediate concern is what bad actors do with this data in the weeks and months ahead. Expect targeted phishing emails that appear to come from Holland America or Carnival — messages that reference your loyalty status, offer fake promotions, or ask you to “verify your account.” These will look convincing precisely because the senders already know details about you.

What You Should Do Right Now

If you are a Holland America Mariner Society member, or if you have an account with any Carnival Corporation brand — including Carnival Cruise Line, Princess Cruises, Cunard, or Seabourn — there are two immediate steps worth taking.

First, change your password for any cruise line accounts where you reuse credentials. This is especially important if you use the same email and password combination elsewhere. Second, enable two-factor authentication on those accounts if it is available. It takes two minutes and makes your account dramatically harder to compromise even if your credentials are in a leaked dataset.

Beyond that, be skeptical of any email that arrives claiming to be from Holland America or Carnival over the coming weeks, even if it looks official. Do not click links in unsolicited emails — go directly to the cruise line’s website by typing the address into your browser.

The Bigger Picture

This is not the first time Carnival Corporation has faced a cybersecurity incident. The company has dealt with ransomware attacks and data incidents before, which makes this latest breach particularly frustrating for loyal guests who have trusted these brands with their personal information over many years.

The cruise industry as a whole collects enormous amounts of guest data — and with that comes a responsibility to protect it. For now, Carnival says the investigation is ongoing and that it is cooperating with law enforcement. We will continue to watch for updates.

In the meantime, the best thing any cruiser can do is take the simple protective steps above and stay alert for suspicious communications. The ships are still sailing — just make sure your personal information stays as protected as possible while they do.

---

Source: Cruise Radio — Rumored Carnival Data Breach Could Impact Cruiser Accounts