The ShinyHunters cybercrime group breached Carnival Corporation's IT systems via a social engineering attack on an employee account. This led to the exfiltration of personal information belonging to 5,995,277 customers, including names, dates of birth, email addresses, and loyalty program details, which was subsequently leaked.
Initial Access
Employee Deception
confirmed
An unauthorized actor used social engineering to deceive a Carnival employee, gaining initial access to a limited portion of the company's IT system on April 10, 2026.
Defender cut points
Implement robust security awareness training with simulated phishing exercisesEnforce phishing-resistant FIDO2 MFA on all employee accounts
