TL;DR too long, didn’t read

  • Carnival: ShinyHunters stole data on nearly 6 million people from the world's largest cruise operator, getting in through a single social-engineered employee login. Passport and driver's licence numbers included. Our lead.

  • CISA ICSA-26-148-01: the MacGregor voyage data recorder G4e, built by Danelec and mandatory on SOLAS ships, ships with default and hard-coded credentials that hand an attacker administrator access. The firmware fix is out.

  • IMO MSC 111: the committee approved new guidelines on the software maintenance of shipboard navigation and communication equipment, a roadmap toward a non-mandatory Maritime Cyber Code by 2028, and a revision of the cyber risk management guidelines.

The thread through all three: credentials are the maritime attack surface this week. Stolen at the cruise line's front office, shipped by default in the bridge's black box, and only now being written into IMO guidance.

Three things that matter this week

ShinyHunters take nearly 6 million from the world's largest cruise operator

On 28 May 2026, Carnival Corporation disclosed a data breach affecting 5995277 people, close to 6 million. Carnival is the largest cruise operator in the world, parent to Carnival Cruise Line, Princess Cruises, and Holland America Line. The exposed records trace largely to the Mariner Society loyalty programme run under Holland America, and the extortion group ShinyHunters has claimed the theft on its leak site, putting the haul at 8.7 million records.

The way in was not exotic. Carnival says attackers used social engineering to compromise a single employee account on 14 April 2026, then used that access to reach company systems and exfiltrate files. The data taken is the kind that does lasting damage: names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers, including driver's licence and passport numbers. Carnival is offering affected people 24 months of credit monitoring.

The passport detail is what makes this a maritime problem and not just another corporate breach. Cruise operators collect passport and identity data on every guest because they have to, for immigration and border control at every port of call. That makes a cruise line one of the richest concentrations of travel-identity data anywhere. This is at least the fourth breach Carnival has disclosed since 2019.

Why this matters for maritime: the cruise sector runs floating towns full of paying passengers, and the data that books, boards, and clears them through borders is a standing target. This breach did not need a clever exploit or a vessel-systems intrusion. It needed one employee to be fooled. For any operator carrying passenger or crew identity data, the lesson is that the front office is the attack surface, and a single tricked login can expose millions.

What to do: Treat identity data, passport and licence numbers above all, as the crown jewels they are, and know exactly where that data lives and who can reach it. Put phishing-resistant MFA on the accounts that can touch it, so a stolen password alone is not enough. Rehearse the social-engineering scenario with the staff who actually handle bookings and guest data, because they are who the attacker calls. And if you hold this data, plan the breach-notification and credit-monitoring response before you need it, not during.

The bridge black box ships with hard-coded credentials

On 28 May 2026, CISA published advisory ICSA-26-148-01 covering five vulnerabilities in the MacGregor voyage data recorder G4e, built by Danelec, in every version before V5.250. A voyage data recorder is the maritime equivalent of an aircraft black box. It is mandatory on SOLAS vessels, it sits on the ship's network, and it captures bridge audio, radar, AIS, and sensor data. This one ships with credentials an attacker can use to take it over.

The five issues, in plain terms:

  • A default username and password, with no requirement to change them (CVE-2026-42941).

  • Hard-coded credentials baked into default accounts (CVE-2026-42929). Both of these are rated high, CVSS 8.3.

  • An authenticated user can download a full device backup that contains account data and password hashes (CVE-2026-42951).

  • Those passwords are stored with a weak hashing method that limits password length and is open to brute force (CVE-2026-44611).

  • The web-interface administrator can directly edit the files that control authentication, including changing the root password (CVE-2026-40425).

Chain them and you get the outcome CISA states plainly: administrator access to the device. Danelec has released firmware V5.250 to fix all five, and CISA's guidance is unusually specific about timing. Update at the earliest service attendance, not at the next annual performance test.

Why this matters for maritime: a VDR is not a peripheral. It is the forensic record that accident investigators, insurers, and flag states rely on after an incident, and it lives on the same network as your navigation systems. Default credentials on that device mean two things at once. An attacker who reaches the vessel network can reach it, and the integrity of the record it keeps can no longer be assumed. The reason this is hard to fix is the same reason it matters. Type-approved shipboard equipment does not get patched on a software cadence. It gets touched when a technician is aboard, which can be months away.

What to do: Find out which VDR you run and what firmware is on it. If it is a Danelec-built G4e below V5.250, book the V5.250 update for your next service attendance and do not wait for the annual test. Until then, treat the VDR as an untrusted device on the bridge network. Confirm it is not reachable from any maintenance or remote-access path, change any credentials you can, and segment it from systems that have no reason to talk to it. If you cannot even establish which firmware version is installed, that uncertainty is itself the finding.

IMO moves on the software running your bridge

The IMO's Maritime Safety Committee met for its 111th session from 13 to 22 May 2026, and three of its outcomes matter for anyone responsible for shipboard cyber.

It approved new guidelines on the software maintenance of shipboard computer-based navigation and communication equipment and systems. In plain terms, the IMO has just put its name to the exact problem Story 2 describes: equipment whose software almost never gets updated in a disciplined way. It also approved a revision of the existing "Guidelines on maritime cyber risk management" (now Rev.3), the guidance that sits under resolution MSC.428(98) and already requires cyber risk to be handled inside a ship's safety management system.

And it approved a roadmap for a new Maritime Cyber Code, to be developed under the Facilitation Committee, targeted for 2028. The code will be non-mandatory, at least to begin with. An intersessional working group is due to meet in 2027.

Why this matters for maritime: it is easy to read "non-mandatory, target 2028" and file the whole thing under "later." That would be a mistake. The software-maintenance guidelines are approved now, and they are the reference your flag state and class society will start measuring against. The direction is clear. Treating shipboard software as something you install once and forget is on its way out, and the VDR advisory above is a live example of why.

What to do: Read the new software-maintenance guidelines and hold them against how you actually maintain navigation and communication equipment today. Who tracks firmware versions across the fleet? Who decides when an update gets applied, and against what risk assessment? If the honest answer is "the OEM, whenever a technician happens to be aboard," that is the gap the IMO is now formalising, and it is the same gap a recorder with hard-coded credentials sits in.

In case you missed it

  • GNSS jamming and a cable threat in the Gulf. Position-fixing disruption across the Strait of Hormuz and the wider Gulf has been a standing condition since late February. Ship-tracking firm Windward recorded more than 1100 vessels showing positioning errors in a single 24-hour period as the crisis escalated, with ships falsely placed at airports and inland sites, and Kpler reports transits sharply down. Alongside the jamming, Iran-linked media has publicly mapped the undersea internet cables running through the strait and floated charging fees to use it, turning connectivity itself into leverage. The threat is also drawing a policy response: on 29 May the UK set out plans to replace its 140-year-old subsea-cable law with tougher penalties for ships that damage undersea cables, whether by sabotage or recklessness, amid rising concern over Russian activity around the lines. If you route vessels through Hormuz, treat both position and communications as degradable on any given day. Test your response: Run the GNSS spoofing tabletop →

  • More than the VDR. CISA's 28 May batch also flagged a critical flaw (CVSS 9.8) in the PUSR USR-W610 serial-to-Wi-Fi converter, a device class used to bridge legacy serial navigation and engine gear onto IP networks. It carries plaintext admin credentials in the firmware, and there is no vendor patch. Siemens' May round added command-injection and request-smuggling flaws in RUGGEDCOM ROX routers and the APE1808 edge firewall, hardware that is common at the IT/OT boundary in ports. If you run serial-to-IP converters or RUGGEDCOM kit, both are worth a scan.

  • A VPN flaw under active attack. CISA has added CVE-2026-0257, a high-severity authentication-bypass flaw in Palo Alto Networks PAN-OS GlobalProtect, to its Known Exploited Vulnerabilities Catalog with a near-term federal patch deadline. Rapid7 has tracked exploitation in the wild since mid-May, with attackers forging authentication-override cookies to slip past the VPN login and reach internal networks. GlobalProtect is a common remote-access gateway, and plenty of ports, carriers, and shipping companies run officer, vendor, and OT remote access through exactly this kind of VPN. If that is you, confirm your PAN-OS version and patch status now.

Coming up

  • The maritime calendar is busy this first week of June. If you will be at any of these, reach out.

    • Posidonia 2026 — Athens, 1-5 June. The big one, with maritime security and geopolitics high on this year's agenda.

    • PT XXI, Polish Naval Academy — Gdynia, 1-3 June. I am presenting on maritime tabletop exercises. If you are there, find me.

    • NMIOTC 17th Annual Conference — Souda Bay, Crete, 3-4 June. NATO's maritime interdiction and security forum.

    • MARSEC COE International Maritime Security Conference — Istanbul, 9-10 June.

    • Maritime Cyber Guild Meetup Q2 — Prague, 15 June. Smaller, but the maritime cyber community in one room.

    And on these pages: once the IMO Council meets in July and the Maritime Cyber Code correspondence group forms, we will cover what the code is likely to ask of operators, and how to get ahead of it.

Number of the week

  • 6 million — People whose personal data Carnival is now notifying after the breach disclosed on 28 May, 5 995 277 to be exact, including driver's licence and passport numbers. There was no zero-day and no vessel intrusion behind it. Someone was simply talked into handing over an account. For the maritime sector, that is the uncomfortable headline: the largest single exposure of the week came through a login, not a ship.

Resource of the week

ENISA NIS360 2026 (ENISA, 28 May 2026)

ENISA's second annual review of how mature each NIS2 sector is against how critical it is. Maritime transport lands in the "risk zone": its cybersecurity maturity is lower than its criticality warrants, in the same band as health, railway, and water. The report is a useful mirror. If you operate in the EU, it tells you where your regulator is most likely to look next, and it hands you an external, citable benchmark for why maritime security deserves budget this year. Available at enisa.europa.eu.

Want more depth?

Maritime Cyber Intelligence Brief covers what the weekly cannot: full incident timelines, regulatory analysis, GNSS threat data, and OT advisory breakdowns. The latest issue is a free preview.

Read of the week

"The Art of Deception" by Kevin Mitnick — the classic account of social engineering by the man who made it famous, told through case after case of attackers talking their way past technical controls. It is hard to think of a better week to pick it up. The Carnival breach came down to a person being talked into handing over access, not a system being hacked. If you want to understand the attack that keeps working on every sector, maritime included, start here.

Keep reading