Carnival cruise operator confirms nearly 6 million people affected in data breach

In late April this year, the company confirmed suffering a supply-chain attack and losing sensitive data on millions of customers. As the world’s largest cruise company, Carnival operates multiple brands, including Holland America Line. It was this subsidiary that was struck by the infamous ShinHunters collective, who listed it on its data leak site, claiming to have taken 8.7 million records.

Among the stolen data were names, dates of birth, genders, and membership status details, and Have I Been Pwned? later added that around 7.5 million emails were compromised, as well.

Stolen credentials through phishing

Now, the company filed a new report with the Maine Attorney General’s Office, sharing a sample of the letter being sent to affected individuals, and reporting exactly 5,995,277 victims.

In the letter, Carnival said that the attack took place on April 14, after hackers social-engineered an employee into sharing access to “a limited portion of the company’s IT system.” The company also said it is now offering 24 months of free membership with TransUnion’s credit monitoring services, to help mitigate any potential fallout.

ShinyHunters leaked the Carnival data on the dark web soon after the breach, stating that the negotiations with the company broke down. "The company failed to reach an agreement with us despite our incredible patience," the group allegedly said. "They don't care."

All at once, ShinyHunters released data on around 40 different organizations, including Mytheresa, Zara, 7-Eleven, Pitney Bowes, and Carnival.

“Carnival Corporation takes the privacy and security of your information seriously,” the company stressed in the letter. “We deeply regret this incident and any concern it may cause.”

Via The Register