ctipilot.ch

Carnival Corporation confirms 5.99M-record ShinyHunters breach — Princess/Holland/Cunard/Costa

incident · item:carnival-corporation-5-99m-shinyhunters-breach-2026

Coverage timeline
1
first 2026-05-29 → last 2026-05-29
Briefs
1
1 distinct
Sources cited
6
6 hosts
Sections touched
1
active_threats
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-29CTI Daily Brief — 2026-05-29
    active_threatsFirst coverage. 5,995,277 affected; ShinyHunters social-engineering of single employee account 2026-04-14; pay-or-leak; data published. Passport + DL numbers exposed. Separate from Charter/7-Eleven Salesforce campaign (covered 5-25, 5-27).

Where this entity is cited

  • active_threats1

Source distribution

  • helpnetsecurity.com1 (17%)
  • maine.gov1 (17%)
  • prnewswire.com1 (17%)
  • therecord.media1 (17%)
  • theregister.com1 (17%)
  • docs.gitlab.com1 (17%)

Related entities

All cited sources (6)

Items in briefs about Carnival Corporation confirms 5.99M-record ShinyHunters breach — Princess/Holland/Cunard/Costa (1)

Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

Carnival Corporation filed substitute notices with state attorneys-general on 2026-05-27 confirming 5,995,277 individuals were affected across Princess Cruises, Holland America Line, Cunard and Costa Cruises — the precise figure is from the Maine Attorney General data-breach filing, with secondary coverage in The Record and The Register. The Register notes that this is materially lower than the 8.7 million records ShinyHunters originally listed against Carnival on Have I Been Pwned — the 5.99 million is the count of individuals with unique notifications, not the row-count of the exfiltrated database, so defender-exposure scope discussions need to distinguish the two. The Maine AG filing records the breach as occurring 2026-04-10 and discovered on 2026-04-14 (PR Newswire's official notice describes 2026-04-14 as the day the security team identified the unauthorized activity); initial access was social engineering against a single employee account. ShinyHunters claimed responsibility on 2026-04-18 and ultimately published the data when the ransom demand was refused. Exposed fields include full name, address, email, phone, date of birth and state-issued ID numbers (driver's-licence and passport numbers). Costa Cruises is Italy-headquartered and Cunard has UK operations — EU-resident passport data is in scope, but no EU DPA notification has surfaced in-window. This is a separate ShinyHunters event from the previously-covered Charter / 7-Eleven Salesforce campaign (covered 2026-05-25 and 2026-05-27); the common pattern is single-account social-engineering footholds and the pay-or-leak extortion model run from the actor's own portal.

Defender takeaway: the kill chain is single-account-social-engineering → bulk data access — no CVE exploitation. For travel / hospitality and public-sector SOCs, focus user-behaviour-analytics rules on anomalous bulk data access by a single user / session (T1530, T1213.003) and on outbound transfer volume from CRM and ID-document repositories. EU GDPR notifications from the Italian (Costa) and UK (Cunard) subsidiaries are the immediate regulatory beat to watch.