Almeida Law Group is investigating a data breach at Carnival Corporation. The breach occurred on April 10, 2026 and was discovered on April 14, 2026. If you were affected, contact Almeida Law Group.
About Carnival Corporation
Carnival Corporation is the world’s largest cruise company, operating a fleet of over 90 ships across nine brands including Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, and Cunard, among others. The company is headquartered in Miami, Florida, is publicly traded on the NYSE, and is a component of the S&P 500. The data involved in this breach included personal information belonging to nearly six million individuals worldwide.
What Happened?
Carnival Corporation was listed in a Maine Attorney General filing reporting a cybersecurity incident affecting 5,995,277 individuals total. According to Carnival’s own notice, on April 14, 2026, its IT security team identified unauthorized activity involving an employee account. A threat actor used social engineering — specifically phishing — to deceive an employee and gain access to a portion of Carnival’s systems. The company determined on April 22, 2026 that the attacker had illegally copied personal information. Consumers were notified on May 27, 2026, 43 days after discovery. The incident notice itself uses a template placeholder for the specific data elements involved, meaning affected individuals may have had different types of information exposed. Based on Have I Been Pwned’s verified analysis of published data, exposed information includes names, dates of birth, genders, email addresses, and loyalty program data. The breach appears specifically tied to the Mariner Society loyalty program operated by Holland America Line, a Carnival subsidiary. Lawsuits also allege that contact information such as phone numbers and physical addresses may have been included.
The breach has been attributed to the ShinyHunters threat actor group, which listed Carnival on its extortion portal around April 18, 2026, and set an April 21 deadline threatening to publish the data if Carnival did not comply with their demands. When Carnival did not pay, ShinyHunters published the data publicly. Have I Been Pwned confirmed 8.7 million records containing 7.5 million unique email addresses were released. Three class action lawsuits were filed against Carnival between April 22 and 24, 2026 — before consumer notifications were even sent — alleging that Carnival failed to implement adequate cybersecurity measures, including encryption and two-factor authentication, and failed to provide timely notice. The cases include Pottle v. Carnival Corp., Case No. 1:26-cv-22801, and Vasquez v. Carnival Corporation, Case No. 1:26-cv-22866-CMA, both in the U.S. District Court for the Southern District of Florida. This is also Carnival’s third known cybersecurity incident, following ransomware attacks disclosed in August 2020 and December 2020.
Key Facts at a Glance
- Company or Organization: Carnival Corporation
- Industry: Leisure travel / Cruise line operator
- Location: Miami, Florida
- Incident type: Unauthorized access via social engineering (phishing)
- Date of breach: April 10, 2026
- Date breach discovered: April 14, 2026
- Date of consumer notification: May 27, 2026
- Total persons affected: 5,995,277
- Identity theft protection offered: Yes — 24 months of TransUnion Single Bureau Credit Monitoring, Credit Report, and Credit Score services, plus proactive fraud assistance through Cyberscout
- Enrollment deadline: August 31, 2026
- Prior breach: Yes — ransomware attacks in August 2020 and December 2020
- Litigation status: Three class action lawsuits filed April 22–24, 2026, in the U.S. District Court for the Southern District of Florida
- Source: Maine AG Filing; Have I Been Pwned; Cruise Hive; Security Boulevard
What Should You Do?
If you received a notice from Carnival Corporation, you should enroll in the complimentary 24-month TransUnion credit monitoring being offered at no charge — but act before the August 31, 2026 deadline. Beyond that, consider placing a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) to limit the risk of new accounts being opened in your name. Review your account statements and credit reports carefully for any unfamiliar activity. You are entitled to free annual credit reports at AnnualCreditReport.com. If you believe you are a victim of identity theft, visit IdentityTheft.gov for step-by-step guidance and to report the theft.
Your Legal Rights
If your personal information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
