When employees become the attack surface: lessons from the Carnival breach

Introduction: what happened in the Carnival data breach?

Carnival Corporation is one of the world’s largest cruise operators, with a portfolio of cruise brands serving customers across international markets.

On 14 April 2026, Carnival Corporation said its IT security team identified unauthorized activity involving an employee account. According to the company, an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of its IT system.

On 22 April 2026, Carnival determined that personal information had been copied without authorization. The affected information varied by individual but included sensitive information like; names, addresses, email addresses, phone numbers, dates of birth and government-issued identification numbers, including passport and driver’s license numbers.

Carnival began notifying affected individuals on 27 May 2026. The company also offered affected individuals in the US 2 years of complimentary credit monitoring and identity-protection services.

The scale of the breach is significant. The Maine Attorney General’s data breach portal lists 5,995,277 affected individuals.

The incident raises a broader question for security leaders: when an attacker successfully deceives an employee, what controls are in place to limit the damage?

The trend: why is the human layer still such a major cyber risk?

The Carnival breach is not an isolated example. Attackers continue to use phishing and other forms of social engineering to gain access to company systems. These attacks often exploit normal human behavior, including trust, urgency, routine, fatigue and the pressure to complete work quickly.

This is often described as the “human layer” of cyber risk. However, the term should not be understood as placing responsibility solely on the employee. The human layer also includes the way an organization designs its systems, allocates access rights and responds when suspicious activity occurs.

In practice, this means that when an employee account is compromised, security leaders should ask:

•  Was the account limited to the access the employee genuinely needed?
• Were additional checks required before sensitive data could be accessed or copied?
• Was multi-factor authentication enforced?
• Could unusual account activity be detected quickly?
• Were there clear routes for employees to ask questions or report suspicious activity?
• Did the organization have a tested process for responding to a potential incident?

Recent research shows that this remains a widespread issue. A 2026 Data Breach Investigations Report found that the human element was present in 62% of breaches, compared with 60% in the previous year. Social engineering was the 3rd most common breach pattern.

Microsoft’s Digital Defense Report 2025 reached a similar conclusion. It found that 28% of breaches investigated by its incident-response team began with phishing or social engineering. This was higher than the proportion attributed to unpatched web assets, at 18%, and exposed remote services, at 12%.

The risk may increase as attackers make greater use of artificial intelligence. ENISA reported that, by early 2025, AI-supported phishing campaigns accounted for more than 80% of observed social-engineering activity worldwide.

These figures point to a clear conclusion: employee awareness is important, but it is not enough on its own. Organizations also need controls that limit access, identify unusual behavior and reduce the potential impact when an attack succeeds.

Looking at employee awareness of cybersecurity and beyond

Cybersecurity training matters. Employees should understand the common warning signs of phishing and social-engineering attempts. They should also know how to report a suspicious message quickly and what steps to take if they think they may have shared information or approved a request in error.

However, training should be treated as a baseline control, not as the organization’s entire defense strategy. No organization can reasonably expect every employee to identify every deceptive message, every time.

The UK National Cyber Security Centre (NCSC) is clear on this point:

“Some phishing attacks will always get through, so you should plan for incidents which means you can minimize the damage they cause.”

This means organizations need to look beyond whether employees have completed a training course. They should also ask whether staff understand the reporting process, whether escalation routes are easy to use, whether teams have taken part in realistic scenario tests, and whether responsibility is clearly assigned when an incident occurs.

As Steve Biggs, Head of Infrastructure and Security at CoreStream GRC, explains:

“Training is important, but it cannot be the only line of defense. Employees need to know how to raise a concern quickly, without hesitation, and what to do if they think something has gone wrong. Organizations also need clear ownership, tested response plans and controls that limit the impact when an attack gets through.”

The aim is not to remove human judgment from cybersecurity. It is to support employees with clear processes and controls that reduce the likelihood that one mistake becomes a major incident.

What does a stronger human-layer cyber strategy look like?

A stronger human-layer cyber strategy starts with the assumption that an attacker may eventually get through. The aim is to reduce the likelihood of a successful attack, detect suspicious activity quickly and limit the damage if an account is compromised.

The NCSC advises organizations to use layered defenses rather than rely on a single control. Cybersecurity measures are not limited to technical products or services. They can also include processes, training and policies. These measures should be reviewed regularly and tailored to the organization’s most important risks.

In practice, organizations should consider:

• Enforcing multi-factor authentication as a baseline control and using phishing-resistant authentication where appropriate.
• Applying role-based access controls and least-privilege permissions so employees can only access the information and systems required for their role.
• Reviewing access rights regularly, particularly when employees change roles or leave the organization.
• Monitoring and logging account activity so unusual behavior can be identified quickly.
• Giving employees clear routes to report suspicious messages, requests or account activity.
• Testing incident-response plans through realistic exercises.
• Assigning clear ownership for remediation actions.
• Retaining evidence that controls are operating consistently across teams and systems.

These measures do not remove the need for employee awareness. They ensure that employee training is supported by controls that reduce the risk of a single mistake becoming a wider incident.

Looking beyond IT with cybersecurity to cyber governance

Human-layer cyber risk is not only an IT issue. It is also a governance issue.

Organizations need to understand which risks they face, which controls are in place, who owns them and whether they are operating consistently. When an incident occurs, leaders should be able to identify the affected systems, assign remediation actions and track progress.

Controls do not create resilience simply because they appear in a policy. They create resilience when they work in practice and the organization can demonstrate that they are being reviewed, tested and improved.

CoreStream GRC helps organizations connect cyber risks, controls, owners, evidence, incidents and remediation actions in 1 place. This gives leaders a clearer view of how their cyber-governance framework is operating and where further action may be required.

Conclusion

The Carnival breach is a reminder that the human layer is not separate from cybersecurity. It is part of the system.

Employees use the software, manage the data, approve requests and respond to the messages that keep organizations moving. Training can reduce risk, but it cannot prevent every successful attack.

Organizations also need controls that limit access, detect unusual behavior and support a rapid response when something goes wrong. The key question is not only whether employees can identify a suspicious message. It is whether the organization is prepared when an attacker gets through.

Is your cyber-governance framework ready when an attack gets through?

CoreStream GRC helps organizations connect cyber risks, controls, owners, incidents and remediation actions in 1 place, giving leaders a clearer view of what is working and where further action is needed.

FAQ on the Carnival data breach