Texas Attorney General Ken Paxton has launched an investigation into Carnival Corporation following a data breach that exposed the personal information of an estimated 6 million people, including more than 800,000 Texas residents.
The investigation was announced Monday after the company reported that unauthorized access to its systems in April 2026 compromised consumer data collected through its cruise and travel operations.
According to the Texas Attorney General’s Office, Carnival notified the state that 800,060 Texas consumers were impacted by the breach.
Carnival, which operates several cruise brands worldwide, including Carnival Cruise Line, Princess Cruises, Holland America Line, P&O Cruises, Seabourn, Costa Cruises and AIDA Cruises, gathers personal information from customers who create accounts, book trips, communicate with the company or participate in rewards programs.
The company maintains a range of consumer information, including names, contact details, dates of birth, payment information, passport data, driver’s license information, and health-related information. Its privacy policy also states that, with customer permission, it may collect device content such as photos and contact lists.
Carnival said its information technology security team detected unauthorized activity involving an employee account on April 14, 2026.
According to the company’s findings, a threat actor used social-engineering tactics to deceive an employee and gain access to company systems. The unauthorized access allowed the individual to obtain consumer personal information.
The attorney general’s office said Carnival submitted its breach notification to Texas 44 days after the incident occurred.
Before announcing the investigation, Paxton’s office issued a Civil Investigative Demand to Carnival seeking information about the company’s cybersecurity practices.
The investigation will examine whether Carnival adequately protected Texans’ personal information and whether the company maintained reasonable security procedures as required under Texas law.
“I am investigating the Carnival cruise line data breach to ensure that the company is held accountable for any illegal action and that Texans’ private information is properly secured,” Paxton said in a statement.
“Data breaches are a serious matter, and my office is committed to protecting Texans’ sensitive personal information.”
The attorney general’s office has not announced any findings or enforcement actions related to the investigation.
The inquiry remains ongoing as state officials review the circumstances surrounding the breach and Carnival’s handling of consumer data security.
