May 28
/
Latest News
Carnival Confirms Data Breach After ShinyHunters Claims Theft of Millions of Records
Carnival Corporation has confirmed a data breach just weeks after the ShinyHunters hacking group claimed it had stolen millions of customer records from the cruise giant.
The company said the incident stemmed from a phishing attack that compromised a single employee account, allowing an unauthorized actor to access part of its internal systems.
According to Carnival, its security team detected the suspicious activity on April 14, 2026, and determined that the attacker had used social engineering to deceive an employee and gain limited access. While the company has not publicly detailed the full scope of the intrusion, ShinyHunters listed Carnival on its “pay or leak” portal four days later and claimed it had obtained data tied to the Mariner Society loyalty program operated by Holland America Line, a Carnival subsidiary.
Have I Been Pwned reported that the leaked dataset allegedly contained 8.7 million records, including 7.5 million unique email addresses, along with names, dates of birth, genders, email addresses, and loyalty status information. However, Carnival’s official filing with Maine regulators states that 5,995,277 individuals were affected.
The company began notifying impacted customers on May 27 and is offering eligible U.S. residents two years of complimentary credit monitoring through TransUnion. Carnival said it has strengthened its security controls in response to the incident, adding new monitoring capabilities and enhancing its defenses to address evolving threats.
The breach adds to a growing list of cybersecurity incidents the company has faced in recent years, raising renewed questions about the resilience of its systems. Carnival said it remains committed to improving its IT security and data privacy posture, but the latest intrusion underscores the ongoing challenges large organizations face as cybercriminals continue to target high‑value consumer data.
The company said the incident stemmed from a phishing attack that compromised a single employee account, allowing an unauthorized actor to access part of its internal systems.
According to Carnival, its security team detected the suspicious activity on April 14, 2026, and determined that the attacker had used social engineering to deceive an employee and gain limited access. While the company has not publicly detailed the full scope of the intrusion, ShinyHunters listed Carnival on its “pay or leak” portal four days later and claimed it had obtained data tied to the Mariner Society loyalty program operated by Holland America Line, a Carnival subsidiary.
Have I Been Pwned reported that the leaked dataset allegedly contained 8.7 million records, including 7.5 million unique email addresses, along with names, dates of birth, genders, email addresses, and loyalty status information. However, Carnival’s official filing with Maine regulators states that 5,995,277 individuals were affected.
The company began notifying impacted customers on May 27 and is offering eligible U.S. residents two years of complimentary credit monitoring through TransUnion. Carnival said it has strengthened its security controls in response to the incident, adding new monitoring capabilities and enhancing its defenses to address evolving threats.
The breach adds to a growing list of cybersecurity incidents the company has faced in recent years, raising renewed questions about the resilience of its systems. Carnival said it remains committed to improving its IT security and data privacy posture, but the latest intrusion underscores the ongoing challenges large organizations face as cybercriminals continue to target high‑value consumer data.
The report shows that regulated data dominates exposure incidents, accounting for 59% of all policy violations across AI and personal cloud applications. Source code makes up 15%, intellectual property 13%, and passwords and API keys 12%. The trend suggests that compliance-sensitive information is the material most frequently pushed into AI tools or personal cloud accounts in ways that trigger data loss prevention controls.
Europe’s preferred AI tools also diverge from global patterns. ChatGPT remains the most widely used service in the region, with Anthropic’s Claude taking second place ahead of Google Gemini. That ranking reverses the global order, where Gemini typically sits above Claude. Mistral’s Le Chat, developed in France, also appears prominently in European usage. Claude’s adoption surged in September 2025, when its growth curve steepened and pushed it past Gemini. ChatGPT maintained its lead throughout the year, and Microsoft Copilot held steady across the region.
Organizations are also blocking certain AI applications over privacy and data-handling concerns. Particular Audience tops the blocked list at 44%, followed by ZeroGPT at 37% and DeepSeek at 36%. These restrictions reflect unease around how some services process, personalize, and retain user data. In heavily regulated industries, companies often apply broad category-level blocks in addition to targeting specific apps.
The report highlights that attackers are increasingly blending into trusted cloud ecosystems. Malware distribution in Europe frequently relies on reputable platforms such as GitHub and Microsoft OneDrive, which benefit from user trust and can slip past URL-based filtering. The widespread use of personal cloud applications inside corporate networks further complicates security, as employees move files between personal and work environments, creating additional opportunities for exposure.
Netskope’s analysis suggests that European organizations have made significant progress in building guardrails around AI, particularly by shifting users away from personal accounts and into managed platforms. The remaining challenges center on the 15% of workers who still toggle between personal and enterprise AI accounts, the AI features embedded in everyday tools that operate outside the visibility of many security programs, and the steady flow of malicious files arriving through trusted cloud services.
The report recommends pairing data loss prevention controls with application-specific governance, noting that regulated data violations now span both AI tools and personal cloud applications, and that the boundary between these categories continues to blur as AI becomes a default layer in modern productivity software.
Europe’s preferred AI tools also diverge from global patterns. ChatGPT remains the most widely used service in the region, with Anthropic’s Claude taking second place ahead of Google Gemini. That ranking reverses the global order, where Gemini typically sits above Claude. Mistral’s Le Chat, developed in France, also appears prominently in European usage. Claude’s adoption surged in September 2025, when its growth curve steepened and pushed it past Gemini. ChatGPT maintained its lead throughout the year, and Microsoft Copilot held steady across the region.
Organizations are also blocking certain AI applications over privacy and data-handling concerns. Particular Audience tops the blocked list at 44%, followed by ZeroGPT at 37% and DeepSeek at 36%. These restrictions reflect unease around how some services process, personalize, and retain user data. In heavily regulated industries, companies often apply broad category-level blocks in addition to targeting specific apps.
The report highlights that attackers are increasingly blending into trusted cloud ecosystems. Malware distribution in Europe frequently relies on reputable platforms such as GitHub and Microsoft OneDrive, which benefit from user trust and can slip past URL-based filtering. The widespread use of personal cloud applications inside corporate networks further complicates security, as employees move files between personal and work environments, creating additional opportunities for exposure.
Netskope’s analysis suggests that European organizations have made significant progress in building guardrails around AI, particularly by shifting users away from personal accounts and into managed platforms. The remaining challenges center on the 15% of workers who still toggle between personal and enterprise AI accounts, the AI features embedded in everyday tools that operate outside the visibility of many security programs, and the steady flow of malicious files arriving through trusted cloud services.
The report recommends pairing data loss prevention controls with application-specific governance, noting that regulated data violations now span both AI tools and personal cloud applications, and that the boundary between these categories continues to blur as AI becomes a default layer in modern productivity software.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.