Carnival cruise operator confirms nearly 6 million people affected in data breach

• Carnival confirmed its April ransomware attack affected 5,995,277 people
• Stolen data included names, birth dates, genders, membership details
• ShinyHunters leaked the data after failed ransom talks

Carnival Corporation, the world’s largest cruise company, said it began notifying people affected by the April ransomware attack, pinning the number of victims to just under six million.

In late April this year, the company confirmed suffering a supply-chain attack and losing sensitive data on millions of customers. As the world’s largest cruise company, Carnival operates multiple brands, including Holland America Line. It was this subsidiary that was struck by the infamous ShinHunters collective, who listed it on its data leak site, claiming to have taken 8.7 million records.

Among the stolen data were names, dates of birth, genders, and membership status details, and Have I Been Pwned? later added that around 7.5 million emails were compromised, as well.

Stolen credentials through phishing

Now, the company filed a new report with the Maine Attorney General’s Office, sharing a sample of the letter being sent to affected individuals, and reporting exactly 5,995,277 victims.

In the letter, Carnival said that the attack took place on April 14, after hackers social-engineered an employee into sharing access to “a limited portion of the company’s IT system.” The company also said it is now offering 24 months of free membership with TransUnion’s credit monitoring services, to help mitigate any potential fallout.

ShinyHunters leaked the Carnival data on the dark web soon after the breach, stating that the negotiations with the company broke down. “The company failed to reach an agreement with us despite our incredible patience,” the group allegedly said. “They don’t care.”

All at once, ShinyHunters released data on around 40 different organizations, including Mytheresa, Zara, 7-Eleven, Pitney Bowes, and Carnival.

“Carnival Corporation takes the privacy and security of your information seriously,” the company stressed in the letter. “We deeply regret this incident and any concern it may cause.”

Via The Register

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.