Carnival’s Extensive Data Breach Has Now Sparked Multiple Passenger Lawsuits

by
Get cruise news & useful tips straight to your inbox! Join here free

Most of us hand over a lot of personal information before a cruise without thinking too much about it.

Passport details. Birth dates. Email addresses. Loyalty numbers. Sometimes even payment details. It’s not exactly the fun part of planning a cruise, but it’s part of getting from “I booked it!” to “Where’s my sail-away drink?”

Now, Carnival Corporation is facing a growing legal headache after reports that millions of records may have been exposed in a data breach linked to the cybercrime group ShinyHunters.

Carnival headquarters with large red, white, and blue funnel logo sculpture outside the building.

Three former passengers have filed lawsuits accusing the cruise company of failing to properly protect customer data. Carnival, meanwhile, says it acted quickly after detecting unauthorized activity and is still reviewing what information may have been involved.

So, what actually happened? Here’s where things stand.

Carnival Is Now Facing Multiple Lawsuits Over The Reported Breach

Carnival Corporation is now facing three proposed class action lawsuits in the United States after a reported data breach that allegedly involved millions of records. According to the lawsuits, the breach is believed to have happened on or around April 18, 2026.

The lawsuits were filed between April 22 and April 24, 2026, in the United States District Court for the Southern District of Florida. The plaintiffs are former passengers Yvonne Vasquez from California, Zachary Pottle from Florida, and Ashley Cole from Tennessee.

The claims come after reports that ShinyHunters, a cybercrime group known for stealing and leaking data, targeted Carnival Corporation.

ShinyHunters has been linked to several high-profile data theft and extortion cases over the years, often involving large databases that later appear for sale or leak online. The group’s name being tied to the Carnival incident is one reason the story has drawn so much attention, although Carnival has not confirmed every detail of the online claims.

It’s worth being careful with the wording here. The lawsuits are allegations, not court findings. Carnival has not publicly confirmed the full scope of the data involved, and no judge has decided whether the company did anything wrong.

But with millions of records reportedly involved, it’s easy to see why passengers are paying close attention. Nobody books a cruise expecting their personal details to end up at the center of a legal fight.

What The Lawsuits Claim Carnival Got Wrong

The lawsuits accuse Carnival of not doing enough to protect passenger information from cyberattacks.

According to the claims, Carnival should have known that a major travel company could be a tempting target for hackers. Cruise lines collect a huge amount of customer data, from basic contact details to loyalty program information, and that can make them attractive to cybercriminals.

The plaintiffs allege that Carnival failed to use adequate cybersecurity measures and that some sensitive information may not have been properly encrypted. In simple terms, encryption helps scramble data so it can’t be read easily if someone gets unauthorized access.

Some of the lawsuits also claim that stronger safeguards, such as two-factor authentication, may not have been in place. Carnival has not publicly confirmed those details, so that part remains an allegation from the legal filings.

The passengers are seeking financial compensation, lifetime credit monitoring for affected class members, and a court order requiring Carnival to improve its data security systems.

That’s a lot on the table. And for Carnival, the timing is not ideal, especially since cybersecurity issues tend to stick around long after the first headlines fade.

What Information May Have Been Exposed

Have I Been Pwned, the well-known data breach notification site, lists the Carnival incident as containing 8.7 million records, including 7.5 million unique email addresses.

The clearest publicly listed data appears to relate to Holland America Line’s Mariner Society loyalty program. Holland America is one of Carnival Corporation’s cruise brands.

The exposed fields listed by Have I Been Pwned include names, email addresses, dates of birth, genders, geographic locations, salutations, and loyalty program details.

That does not automatically mean every Carnival Corporation guest had the same type of information exposed. It also does not confirm that payment card numbers, passport numbers, or passwords were part of the publicly listed data set.

Some reports and legal claims have raised concerns about broader guest and corporate data. But for now, the clearest public information points to Holland America loyalty-related personal details, while Carnival continues to review the full scope of what was involved.

Carnival Says It Acted Quickly

Carnival has said it detected unauthorized online activity involving a single user account and moved quickly to shut it down.

The company said it blocked further unauthorized access, notified law enforcement, and brought in outside security experts to help review the data involved.

Two people reviewing computer code on laptop and desktop screens during a cybersecurity investigation.

Carnival has also warned that anonymous reports circulating online are not always accurate. Some claims about data breaches can spread quickly before a company has finished checking exactly what happened.

The company said that if it determines personal information was affected, it will follow disclosure rules and contact impacted people directly.

That puts passengers in a familiar but frustrating position: waiting.

And waiting is not exactly anyone’s favorite activity, especially when the company is still working out who may have been affected.

Why Passengers Are Worried

The biggest fear for many passengers is not just that their information may have been seen. It’s what could happen after.

Personal data can have a long shelf life. You can change a password. You can cancel a credit card. You cannot exactly swap out your date of birth because some hacker decided to ruin everyone’s week.

That’s why the lawsuits point to concerns about identity theft, fraud, and phishing attempts. A phishing email is a fake message designed to trick you into clicking a link, entering a password, or handing over more information.

For cruisers, the worry is that scammers could send convincing emails pretending to be Carnival, Holland America, or another cruise brand. If they already know your name, email address, and loyalty details, the message can feel more real than the usual “hello dear customer” nonsense.

Passengers who think they may be affected should be extra careful with cruise-related emails, especially messages asking them to log in, update payment details, or click urgent links.

A few sensible steps can help:

  • Go directly to the cruise line’s website instead of clicking email links
  • Change reused passwords, especially if the same password was used for a cruise account
  • Turn on two-factor authentication where available
  • Watch for unexpected account changes or loyalty program activity
  • Be careful with phone calls claiming to be from a cruise line

No one needs to panic-cancel a cruise over this. But it’s smart to be alert, especially while Carnival’s investigation is still moving along.

This Is Not Carnival’s First Cybersecurity Problem

This is not the first time Carnival has faced scrutiny over data security.

In 2022, Carnival Cruise Line reached a $1.25 million multistate settlement tied to a 2019 data breach that affected about 180,000 employees and customers nationwide.

That earlier breach was publicly reported in March 2020 and involved unauthorized access to certain employee email accounts. According to state attorneys general, the exposed information included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a smaller number of Social Security numbers.

As part of that settlement, Carnival agreed to strengthen its email security and breach response practices. Those measures included phishing training, multi-factor authentication for remote email access, stronger password policies, better monitoring tools, and an independent information security assessment.

That history does not prove Carnival is at fault in the latest case.

But it does explain why this new round of lawsuits may get extra attention. Once a company has already been told to tighten its systems, any new cybersecurity claim is going to draw a sharper look.

What Happens Next

For now, there are two tracks to watch: Carnival’s investigation and the lawsuits.

Carnival is still reviewing what data was involved and has said it will contact affected people directly if personal information was confirmed to be impacted.

The lawsuits, meanwhile, will need to move through the courts. That process can take time, especially if the cases are combined, challenged, or expanded into larger class action claims.

It’s also possible more lawsuits could follow, especially if more passengers receive notices or if new details about the exposed data come out.

As of May 1, at least one additional law firm has also opened an investigation into the reported breach and is asking people who believe they may have been affected to come forward. That does not mean a new lawsuit has been filed, but it does suggest legal interest in the incident is still building.

Today’s Top Cruise Deals

See today’s best deals from ALL travel agents

See Deals

You Might Also Like…


If you enjoyed this article please share!



Free Cruise Checklist

Check off ALL the things you need to do before you cruise

    We won't send you spam. Unsubscribe at any time.

    Thanks for reading!

    I'm Kat, and I've been cruising for as long as I can remember — now I get to carry on the tradition with my own family!

    If you enjoy my cruise tips, be sure to follow me on social media for more...

    About me

    Leave a Comment