AG Paxton Investigating Carnival Cruise Over Data Breach That Impacted 6 Million People

Carnival collects various types of personal information from customers during travel bookings, communications, or participation in rewards programs.
AG Paxton Investigating Carnival Cruise Over Data Breach That Impacted 6 Million People
The Carnival Splendor cruise ship sails in Sydney Harbour with the skyline in the background in Sydney in the state of New South Wales in southeastern Australia on Feb. 13, 2025. Véronique Tournier/Hans Lucas/AFP via Getty Images
|Updated:
0:00

Texas Attorney General Ken Paxton is probing Carnival Corporation over a recent data breach that led to the personal information of an estimated 6 million individuals getting stolen, including more than 800,000 Texas citizens.

“On April 14, 2026, Carnival’s information technology security team identified unauthorized activity involving an employee account. Carnival determined that social-engineering techniques were used to deceive an employee and gain access to the company’s systems. As a result, the unauthorized actor obtained access to consumers’ personal information,” Paxton’s office said in a June 22 statement.

Carnival, the largest cruise company in the world, collects various types of personal information from customers when they engage with the company during travel bookings, communications, account creation, or participation in rewards programs. Such information includes names, dates of birth, payment information, contact information, driver’s license, health details, and passports.

Moreover, the company may collect the content on customers’ devices, which include contacts and photos. According to Carnival, this is done for devices the customers use to access the company’s online services, with the data collected after receiving permission from the customer.

“We use this information to share photos and video you take during your vacation or to communicate with your contacts. You can change your permissions anytime through your mobile device,” Carnival’s privacy notice said.

The April data breach affected 800,060 Texans, the AG’s office statement said, citing a notification issued by the company to the Office of the Attorney General 44 days after the incident.

According to a May 27 notice of data breach issued by Carnival, the impacted data includes customers’ names, addresses, phone numbers, email IDs, dates of birth, and government-issued identification.

At the time, the company said it was notifying affected individuals, offering impacted U.S. customers two years of credit monitoring via TransUnion.

“We have taken steps to further safeguard our systems, including enhancing our security and monitoring controls,” the company said.

The recent statement from Paxton’s office said the attorney general had previously issued a Civil Investigative Demand (CID) to Carnival for assessing whether the company “adequately safeguarded” the personal information of Texas customers. A CID is an administrative order aimed at gathering and obtaining evidence, and is issued prior to any lawsuit being filed. 

The CID also aimed to assess whether Carnival’s security procedures to protect customers’ personal information were in line with state law requirements.

Carnival owns multiple cruise brands that operate globally, including Carnival Cruise Line, AIDA Cruises, Holland America Line, Seabourn, P&O Cruises, Costa Cruises, and Princess Cruises.

Last year, the company’s cruise lines served roughly 13.5 million guests globally. The Miami-headquartered Carnival and its cruise lines account for almost 40 percent of the overall cruise market worldwide, according to the company.

“I am investigating the Carnival cruise line data breach to ensure that the company is held accountable for any illegal action and that Texans’ private information is properly secured,” Paxton said.

“Data breaches are a serious matter, and my office is committed to protecting Texans’ sensitive personal information.”

The Epoch Times reached out to Carnival Corporation for comment but did not receive a response by publication time.

In a June 2 post, cybersecurity platform Safestate said that the extortion group ShinyHunters had claimed responsibility for the Carnival data breach via its pay-or-leak portal on April 18. At the time, the group claimed to have stolen more than 8.7 million customer records along with several terabytes of corporate data.

According to computer and network security company Huntress, ShinyHunters has been active since at least 2019. It doesn’t have a confirmed country of origin and is believed to be a decentralized operation.

The group is known for large-scale data theft, with victims including Ticketmaster, Harvard University, the European Commission, and Rockstar Games.

Meanwhile, on May 15, the FBI issued a public service alert, warning about potential future impacts of a ShinyHunters cyberattack against an online Learning Management System (LMS). The agency said victims of the attack may receive an extortion email, with malicious actors threatening them with false claims, such as possessing embarrassing photos.

The FBI did not name the affected LMS. However, a May 12 notice from Federal Student Aid said that ShinyHunters had claimed responsibility for breaching the Canvas Learning Management System that is used by K–12 schools and higher education institutions globally.

Google LogoMark Us Preferred on Google