Attorney General Ken Paxton announced his investigation into Carnival Corporation ("Carnival") following an April 2026 data breach that compromised the personal information of an estimated 6 million people, including over 800,000 Texans.

Carnival operates several cruise brands worldwide, including Carnival Cruise Line, Princess Cruises, Holland America Line, P&O Cruises, Seabourn, Costa Cruises, and AIDA Cruises. Carnival collects and maintains personal information from consumers when they create accounts, book travel, communicate with the company, or participate in rewards programs. Collected information includes names, contact information, dates of birth, payment information, passport information, driver's license information, health information, and other identifying information. Carnival's Privacy Notice further states that, with consumer permission, it may collect device content, including photos from a device camera roll and contacts from the device address book.

On April 14, 2026, Carnival's information technology security team identified unauthorized activity involving an employee account. Carnival determined that social-engineering techniques were used to deceive an employee and gain access to the company's systems. As a result, the unauthorized actor obtained access to consumers' personal information.

Carnival's data breach notification submitted to the OAG indicates that 800,060 Texas consumers were affected by the April 2026 data breach. This notification was submitted forty-four days after the breach. Attorney General Paxton has previously issued a Civil Investigative Demand ("CID") to the company to determine whether Carnival adequately safeguarded the personal information of Texas consumers and whether the company maintained reasonable procedures to protect this sensitive personal information as required by Texas law.

"I am investigating the Carnival cruise line data breach to ensure that the company is held accountable for any illegal action and that Texans' private information is properly secured," said Attorney General Paxton. "Data breaches are a serious matter, and my office is committed to protecting Texans' sensitive personal information."