Carnival Corporation's confirmation of a breach impacting nearly six million individuals reveals far more than a single phishing incident—it underscores chronic underinvestment in identity infrastructure across the global cruise sector. While the company attributes the April compromise to one employee account, the data haul—passport and driver's license details, loyalty program records from Holland America—matches ShinyHunters' established pattern of targeting Salesforce-adjacent environments for high-value PII resale on dark web forums. This incident builds directly on Carnival's 2019 breach that exposed 180,000 records and drew a $1.25 million regulatory fine, as well as its 2021 email intrusion, indicating repeated failures to remediate basic credential hygiene. Cross-referencing the Maine attorney general filing with Recorded Future's prior reporting on ShinyHunters' extortion campaigns shows the group has shifted from pure ransomware to data-leak extortion, increasing immediate identity theft vectors for affected passengers whose passport numbers can enable synthetic identity fraud within weeks. Regulators and passengers should prioritize monitoring for new account openings and passport replacement requests, as the cruise operator's month-long investigation delay allowed the data to circulate before notifications began. The absence of a clear attribution to ShinyHunters in Carnival's statement further highlights defensive gaps in threat intelligence sharing between maritime operators and U.S. agencies.