Carnival Corporation has informed nearly 6 million people that their personal data was compromised in a recent cyberattack. The breach was discovered on April 14 and involved hackers using social engineering tactics to infiltrate an employee’s account. This access allowed the attackers to penetrate certain company systems and extract files containing sensitive personal information. Carnival has been analyzing these files to determine the extent of the data involved, which includes names, addresses, birth dates, email addresses, phone numbers, and government-issued IDs.

The company reported to the Maine Attorney General that 5,995,277 individuals were impacted, offering them two years of complimentary credit monitoring services. The notorious hacking group ShinyHunters has claimed responsibility for the attack, boasting on their leak site about stealing 8.7 million records and releasing the data in late April. Analysis by HaveIBeenPwned indicates that approximately 7.5 million accounts linked to the Holland America brand’s Mariner Society loyalty program were likely compromised, with details like names, emails, birth dates, gender, locations, and loyalty specifics exposed.

Carnival has a history of data breaches, experiencing similar incidents in 2019, a ransomware attack in 2020, and another breach in 2021. The company has yet to disclose further details about this latest incident. In response to these challenges, cybersecurity experts emphasize the need for companies to prioritize robust social engineering defenses. Measures such as multi-factor authentication resistant to phishing, strict identity verification, conditional access, and continuous monitoring are crucial to safeguarding against such threats.

Security professionals continue to stress the importance of proactive measures and regular simulations to better prepare for and mitigate human-centric cyber attacks. As Carnival grapples with the implications of the breach, it serves as a reminder of the ongoing risk posed by social engineering tactics and the need for comprehensive cybersecurity strategies.