Carnival Corporation — owner of Holland America, Princess Cruises and Carnival Cruise Line — is investigating a breach that exposed roughly 8.7 million customer records, including names, dates of birth and Mariner Society loyalty data. As reported by Security Boulevard, the ShinyHunters extortion crew listed Carnival on its leak site after a deadline expired and has now started publishing the data. Carnival has confirmed the entry point: a single phishing incident against one user account.

That detail matters more than the headline number. One staff member clicked one link, and a 7.5 million-email loyalty database walked out the door. The same group is reportedly sitting on stolen data from more than 40 organisations, with a heavy bias toward retail and hospitality — sectors that hold large customer databases tied to bookings, points programs and stored payment tokens. If you run a hotel, pub group, restaurant chain or any venue with a guest loyalty program, you are squarely in this group’s hunting ground.

Under Australia’s Privacy Act, a loyalty database leak of this scale would almost certainly trigger a notifiable data breach to the OAIC, plus direct notification to every affected guest. The reputational damage tends to outweigh the regulatory cost. Guests forgive a system outage; they do not forgive their date of birth and email address turning up on a leak site.

The fix is not exotic. Phishing-resistant multi-factor authentication on every staff account, conditional access policies that block sign-ins from unusual locations, and credential monitoring that flags reused passwords would have stopped this attack at the door. If you are not sure whether your front desk, reservations and back-office accounts have all three in place, that is the conversation to have this week — not after a breach notification.

If you would like a second opinion on how your guest data is protected, our hospitality IT team works with Australian venues on exactly this — sensible, in-budget controls without breaking your booking systems.