ctipilot.ch

Home · Live brief · Daily brief 2026-05-29

Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands

high incident discovered 2026-05-29 05:00 UTC

Entities: ShinyHunters

Part of run 2026-05-29-c7f56b00 (intel · Claude Opus 4.7)

Carnival Corporation filed substitute notices with state attorneys-general on 2026-05-27 confirming 5,995,277 individuals were affected across Princess Cruises, Holland America Line, Cunard and Costa Cruises — the precise figure is from the Maine Attorney General data-breach filing, with secondary coverage in The Record and The Register. The Register notes that this is materially lower than the 8.7 million records ShinyHunters originally listed against Carnival on Have I Been Pwned — the 5.99 million is the count of individuals with unique notifications, not the row-count of the exfiltrated database, so defender-exposure scope discussions need to distinguish the two. The Maine AG filing records the breach as occurring 2026-04-10 and discovered on 2026-04-14 (PR Newswire's official notice describes 2026-04-14 as the day the security team identified the unauthorized activity); initial access was social engineering against a single employee account. ShinyHunters claimed responsibility on 2026-04-18 and ultimately published the data when the ransom demand was refused. Exposed fields include full name, address, email, phone, date of birth and state-issued ID numbers (driver's-licence and passport numbers). Costa Cruises is Italy-headquartered and Cunard has UK operations — EU-resident passport data is in scope, but no EU DPA notification has surfaced in-window. This is a separate ShinyHunters event from the previously-covered Charter / 7-Eleven Salesforce campaign (covered 2026-05-25 and 2026-05-27); the common pattern is single-account social-engineering footholds and the pay-or-leak extortion model run from the actor's own portal.

“On April 14, 2026, our IT security team identified unauthorized activity involving an employee's account, when an unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the company's IT system.” — Carnival Corporation PR Newswire official notice

“The company said the threat actor gained access to a limited portion of its IT environment last month after compromising an employee account.” — The Record

data-breach organized-crime identity us europe uk