HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

ShinyHunters Breach Exposes Personal Data of Nearly 6 Million Carnival Cruise Passengers

In April 2024 ShinyHunters accessed a Carnival employee account via phishing, stole extensive personally‑identifiable information and later posted millions of records. The breach affects an estimated six million passengers and raises significant third‑party risk for vendors handling cruise‑related data.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 therecord.media
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
therecord.media

ShinyHunters Breach Exposes Personal Data of Nearly 6 Million Carnival Cruise Passengers

What Happened – In April 2024, the ShinyHunters hacking group compromised a single Carnival employee account via a phishing attack. The adversary moved laterally, copied extensive personally‑identifiable information (PII) – names, addresses, DOB, driver’s‑license and passport numbers – and later posted ~8.7 M records on a public leak site. Carnival publicly confirmed the breach in May, estimating exposure of close to 6 million individuals.

Why It Matters for TPRM

  • Large‑scale PII breach raises liability, regulatory, and brand‑reputation risks for any downstream partners.
  • The attack vector (phishing of a privileged account) highlights the need for robust identity‑and‑access controls across the supply chain.
  • Extortion attempts and public data dumps can be leveraged to pressure third‑party vendors that share data or services with Carnival.

Who Is Affected – Travel & transportation (cruise lines), hospitality, loyalty‑program providers, and any downstream service providers that process Carnival passenger data (e.g., payment processors, travel agencies, CRM platforms).

Recommended Actions

  • Review contracts with Carnival and its subsidiaries for data‑protection clauses and breach‑notification obligations.
  • Verify that your organization does not store or process the exposed PII; if it does, initiate incident‑response and customer‑notification procedures.
  • Assess and harden phishing‑resilience, MFA enforcement, and privileged‑account monitoring for any shared services.
  • Request evidence of Carnival’s post‑incident remediation (e.g., third‑party audit reports) before renewing or expanding engagements.

Technical Notes – Attack vector: phishing‑based credential compromise of an employee account; no public exploit of a software vulnerability was disclosed. Stolen data includes names, addresses, email, phone, dates of birth, driver’s‑license numbers, and passport numbers. No ransomware or malware payload was reported. Source: The Record

📰 Original Source
https://therecord.media/cruise-giant-carnival-confirms-data-breach-affecting-6-million

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →