Carnival Probes ShinyHunters Claim of 8.7 Million Stolen Records

Carnival Corporation & plc is investigating an alleged cyber-extortion incident after ShinyHunters claimed it stole more than 8.7 million records from the cruise group. Carnival has not confirmed the legitimacy of the claimed leak, but said it “acted quickly to block unauthorized activity following a phishing incident involving a single user account” and is working with global security experts to determine the scope.

The company has not disclosed what data may have been exposed or whether customer records are involved. If substantiated, the alleged volume would be far larger than Carnival’s previous breach settlement, which involved about 180,000 employees and customers nationwide.

Carnival has not confirmed what records are involved

ShinyHunters listed Carnival on an extortion portal with a “Pay or Leak” deadline of April 21, 2026, threatening to release the data publicly if its demands were not met. Carnival has not said whether additional threats were made, what systems were accessed, or what data categories are under review beyond its statement that the activity followed a phishing incident tied to one account.

The alleged data set could involve records from Carnival brands including Carnival Cruise Line, Princess Cruises, Holland America Line, Costa Cruises, P&O Cruises, Seabourn, Cunard and AIDA Cruises.

ShinyHunters is a financially motivated cybercrime group associated with large data theft, extortion and the sale or posting of stolen records. The U.S. Department of Justice has tied ShinyHunters-related activity to phishing pages and fake login sites; in one case, French national Sébastien Raoult was sentenced to three years in prison and ordered to pay more than $5 million in restitution for conspiracy to commit wire fraud and aggravated identity theft.

Three lawsuits were filed in South Florida

Three proposed class actions were filed against Carnival between April 22 and April 24 in the U.S. District Court for the Southern District of Florida. The plaintiffs are Yvonne Vasquez of California, Zachary Pottle of Florida and Ashley Cole of Tennessee. They allege Carnival failed to maintain adequate cybersecurity controls.

The complaints cite alleged gaps including encryption and two-factor authentication, and seek financial compensation, lifetime free credit monitoring for class members and court-ordered changes to Carnival’s data-protection practices. Cole and Vasquez also allege that ShinyHunters warned Carnival it would leak data if demands were not met by the April 21 deadline.

Prior settlement adds scrutiny to the response

Carnival previously reached a $1.25 million multistate settlement tied to a 2019 breach that was reported in 2020. State attorneys general said that incident involved data such as names, addresses, passport numbers, driver’s license numbers, payment card information, health information and some Social Security numbers.

As part of that settlement, Carnival agreed to strengthen email security, multifactor authentication, password policies, phishing training and breach-response practices. The new lawsuits argue the company should have anticipated cyberattack risk given threats facing travel and financial companies.

Carnival has also experienced separate technology problems this year, including widespread online disruptions in February and an April email glitch that sent repeated cruise offers to some guests. Those incidents have not been linked to the alleged data breach.