8.7 Million Cruise Guest Records May Have Been Stolen — Here's What Carnival Is Saying

If you’ve ever sailed with Carnival, Princess, Holland America, or any other Carnival Corporation brand, this is a story you need to read.

Carnival Corporation & plc, the world’s largest cruise company, is investigating a serious cybersecurity threat after a notorious hacking group claimed to have stolen more than 8.7 million records tied to the cruise giant — potentially exposing the personal data of millions of past and present guests across multiple cruise brands.

Table of Contents

Who Is Behind It and What Did They Take?

The group responsible for the claim is ShinyHunters, a well-known cybercriminal organization that has targeted dozens of major companies across retail, finance, and hospitality sectors in a broader ongoing campaign.

Unlike ransomware groups that lock down computer systems to extort victims, ShinyHunters specializes in stealing data outright and threatening to publish it publicly unless demands are met.

The group listed Carnival Corporation on a data leak site and issued what is commonly known as a “pay or leak” ultimatum — meaning the company had until April 21, 2026 to respond to their demands. That deadline has already passed, raising serious questions about what happens next.

Early analysis from cybersecurity researchers suggests the dataset could contain approximately 8.7 million records, including around 7.5 million unique email addresses. Some of that data appears to be connected to the Mariner Society loyalty program operated by Holland America Line, one of several major brands under the Carnival Corporation umbrella.

What Carnival Is Saying

Carnival Corporation confirmed it became aware of suspicious activity involving a single compromised user account and moved quickly to shut it down. Law enforcement has been notified and outside cybersecurity specialists have been brought in to assist with the investigation.

In a statement provided to media, the company said: it acted immediately upon detecting the unauthorized activity, has blocked any further access, and is working carefully with security experts to assess what data — if any — was genuinely affected.

The company also noted that unverified claims circulating online are not always accurate, and committed to reaching out directly to any individuals confirmed to be impacted.

Carnival stopped short of confirming whether the breach is legitimate or whether the hackers’ demands were met.

What Data Could Be at Risk?

The scope of what might be exposed in a breach of this size is broad and deeply personal. Depending on what the hackers actually obtained, affected records could potentially include guest names, email addresses, phone numbers, home addresses, dates of birth, booking histories, loyalty program details, passport information, passwords, current sailing reservations, and in more serious scenarios, credit card or banking data.

On the corporate side, internal information such as employee records, payroll data, and confidential business communications could also be part of the haul.

Because Carnival Corporation operates a large family of cruise brands — including Carnival Cruise Line, Princess Cruises, Holland America Line, Costa Cruises, P&O Cruises, and others — the potential reach of this breach extends far beyond a single cruise line’s customer base.

Not the First Time

This is not Carnival Corporation’s first brush with a cybersecurity incident. Back in 2020, the company disclosed a breach that had gone undetected for months and ultimately exposed personal data belonging to both guests and employees. That situation resulted in a $1.25 million settlement and forced the company to overhaul its digital security practices.

More recently, Carnival has dealt with a string of smaller tech headaches — widespread disruptions to its online booking systems in February 2026, and an email system glitch earlier in April that sent some guests dozens of identical promotional messages. Neither of those incidents is believed to be connected to the current investigation.

What Should Cruise Guests Do Right Now?

Whether or not the breach is ultimately confirmed as genuine, anyone who has sailed with a Carnival Corporation brand in recent years should take precautionary steps immediately.

Cybersecurity experts recommend monitoring bank accounts and credit cards for any unusual activity, updating passwords associated with cruise loyalty accounts and any email addresses used during booking, and staying alert for phishing emails that may attempt to impersonate cruise lines or other familiar brands.

If the breach is verified, Carnival Corporation has stated it will follow all legal disclosure requirements and contact affected individuals directly with further guidance.

For now, the investigation continues — and millions of cruisers are watching closely.