Key Aspects:
- More than 8.7 million records have allegedly been impacted in a major data breach impacting Carnival Corporation.
- The cruise line has now been slapped with three class action lawsuits related to the breach.
- In the claims, the cruise company is accused of negligence related to inadequate cybersecurity protocols.
At the end of April, news broke that Carnival Corporation had been targeted by ShinyHunters, a prolific cybercriminal group that is infamous for data theft, extortion, and selling stolen information on the dark web.
Now, Carnival is facing a wave of lawsuits accusing the brand of negligence, citing inadequate cybersecurity protocols and a failure to notify impacted victims in a timely manner.
On April 24, Cruise Hive reported that more than 8.7 million records were allegedly stolen, including sensitive personal data from guests as well as internal corporate data.
It’s not yet clear which data was specifically stolen, but any of Carnival’s brands could have been affected, including Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, Cunard, Costa Cruises, and AIDA Cruises.
Released information could include details like birthdays, loyalty club numbers, credit card numbers, passport data, phone numbers, passwords, and more.
Carnival initially promised to communicate directly with passengers whose data was leaked to provide additional information and support, but that wasn’t good enough for some past guests.
Three separate class action lawsuits that are related to the breach were filed against the cruise company between April 22-24, 2026, and it wouldn’t be surprising if more were on the way.
The legal action comes from Yvonne Vasquez in California, Zachary Pottle in Florida, and Ashley Cole in Tennessee. All three suits were filed against Carnival Corporation in the United States District Court for the Southern District of Florida.
Carnival is Accused of Negligence
Pottle was the first to file his lawsuit on April 22, and his legal team is primarily arguing that Carnival did not have adequate data security protocols in place. This sentiment is echoed in the other two suits.
Like the other plaintiffs, Pottle feels that Carnival should have been able to foresee that a data breach was possible given an increase in cyberattacks targeting large financial and travel corporations, and did not take adequate precautions to protect customer data.
All three plaintiffs allege that their sensitive personal information was not encrypted, which would have made it unreadable to the hackers.
Cole and Vasquez also claim that additional security measures, such as two-factor authentication, were not in place. It’s unclear where the legal teams sourced that information, and it has not been confirmed publicly by Carnival Corporation.
And as another nail in the proverbial coffin, both Cole and Vasquez’s suits state that ShinyHunters warned Carnival that the data would be leaked if the company did not comply with their demands by April 21 (which the brand did not).
The former passengers are seeking compensation because they say that they are now at an increased risk of fraud and identity theft for life because of the data breach.
They are seeking financial compensation, free credit monitoring service for life for all members of their class action suits, and a court-ordered overhaul to ensure that the data that remains in Carnival’s possession is properly protected.
Carnival Responds to Security Breach
When news of the data breach first became public, Carnival told Cruise Hive that it was aware of unauthorized activity and had taken immediate action to block any further unauthorized access. According to the lawsuits, the breach likely occurred on or around April 18, 2026.
“After detecting unauthorized online activity involving a single user account, we acted quickly to shut it down and block any further unauthorized access and have notified law enforcement,” Carnival said in a statement at the time.
“Data privacy and protection are extremely important to Carnival Corporation and we’re working closely with trusted global security experts to be thoughtful and deliberate in our review of the data involved, recognizing that anonymous reports circulating online are not always accurate,” the cruise company continued.
Carnival said that any impacted guests would be notified as soon as possible, though it’s unclear if that communication has occurred at this time.
Depending on how things go, Carnival may need to make its second massive data breach-related payout in recent history to make things right.
In 2022, the brand was ordered to strengthen its security practices and shell out $1.25 million due to a data breach in August of 2020.
The earlier breach impacted around 180,000 Carnival guests and employees, which is minimal compared to the millions that have been wrapped into the current global breach. Only time will tell how the situation will resolve.
