Carnival Faces Lawsuits Over Reported Data Breach

Carnival Corporation is dealing with a number of lawsuits following a reported data breach that may have exposed the personal information of millions of customers, raising questions about its data security practices.

According to industry and cybersecurity sources, the incident has been linked to the hacking group ShinyHunters and may have affected up to 8.7 million records. The compromised data is said to include names, dates of birth, and email addresses associated with loyalty programs run by Carnival’s brands.

Carnival stated that it detected unauthorized access involving a single user account and responded quickly by blocking it, informing law enforcement, and engaging external cybersecurity specialists to investigate.

The company has not confirmed the full extent of the breach, noting that the investigation is still ongoing. However, the situation could result in further legal and financial consequences as more information becomes available.

Despite Carnival’s suggestion that the breach may have been limited, reports that a large dataset has been shared online have prompted several legal actions in the United States. One of the first cases, Burling v. Carnival Corporation, was filed in Florida in April 2026 and may be followed by additional lawsuits.

Legal analysts expect the cases to focus on whether Carnival had sufficient security measures in place and how it responded to the incident. Previous cases of a similar nature have led to settlements, including a $1.25 million multistate agreement linked to an earlier data breach involving the company.

Cybersecurity experts note that large travel operators are common targets for hacking groups due to the volume of customer data they hold across multiple brands. Databases linked to loyalty programs are often particularly attractive to groups such as ShinyHunters because of their value.