Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands

Carnival Corporation filed substitute notices with state attorneys-general on 2026-05-27 confirming 5,995,277 individuals were affected across Princess Cruises, Holland America Line, Cunard and Costa Cruises — the precise figure is from the Maine Attorney General data-breach filing, with secondary coverage in The Record and The Register. The Register notes that this is materially lower than the 8.7 million records ShinyHunters originally listed against Carnival on Have I Been Pwned — the 5.99 million is the count of individuals with unique notifications, not the row-count of the exfiltrated database, so defender-exposure scope discussions need to distinguish the two. The Maine AG filing records the breach as occurring 2026-04-10 and discovered on 2026-04-14 (PR Newswire's official notice describes 2026-04-14 as the day the security team identified the unauthorized activity); initial access was social engineering against a single employee account. ShinyHunters claimed responsibility on 2026-04-18 and ultimately published the data when the ransom demand was refused. Exposed fields include full name, address, email, phone, date of birth and state-issued ID numbers (driver's-licence and passport numbers). Costa Cruises is Italy-headquartered and Cunard has UK operations — EU-resident passport data is in scope, but no EU DPA notification has surfaced in-window. This is a separate ShinyHunters event from the previously-covered Charter / 7-Eleven Salesforce campaign (covered 2026-05-25 and 2026-05-27); the common pattern is single-account social-engineering footholds and the pay-or-leak extortion model run from the actor's own portal.