Published
June 20, 2026
Allegations Only · No Settlement Yet
This article describes class action complaints and an attacker's public claims. The lawsuit statements below are unproven allegations. Carnival has not been found liable, there is no certified class, and nothing to claim at this time. This page is informational and is not legal advice.
Status
Breach Confirmed · Lawsuits Filed
Multiple class actions · U.S. District Court, S.D. Florida
People Affected
~5,995,277 confirmed · 8.7M-record hacker claim
Carnival-confirmed count via state AG filings; the 8.7M figure is the attacker's unverified claim
Data Involved
Names, DOB, driver's license & passport numbers
Plus addresses, email, phone & Holland America Mariner Society loyalty data
Can I Claim?
No — nothing to claim yet
No settlement; Carnival is offering credit monitoring to people it notified
What Is This About?
Carnival Corporation — the world's largest cruise operator, whose brands include Carnival Cruise Line, Princess Cruises, and Holland America Line — confirmed a data breach that it is notifying roughly 5,995,277 people about. After the breach became public, multiple proposed class action lawsuits were filed against the company.The cases are pending in the U.S. District Court for the Southern District of Florida and include Pottle v. Carnival Corporation (No. 1:26-cv-22801), Cole v. Carnival Corporation (No. 1:26-cv-22844), and Vasquez v. Carnival Corporation (No. 1:26-cv-22866), all filed in late April 2026. The suits allege Carnival failed to adequately protect customers' personal information and failed to notify them quickly enough. Carnival has not been found liable, and the claims remain unproven.
What Happened
According to Carnival, its security team detected unauthorized activity on or about April 14, 2026, tied to a compromised employee account, and blocked it. The company has described the incident as a social-engineering attack that gave an outside actor access to a limited portion of its systems through that account. Carnival determined that personal information had been copied, and on May 27, 2026 it began notifying affected individuals by email and through a dedicated incident webpage.Based on Carnival's notice and state attorney general filings, the information involved included names, addresses, email addresses, phone numbers, dates of birth, and government-issued ID numbers — including driver's license and passport numbers — along with loyalty-program data tied to Holland America's Mariner Society. Carnival has not stated that Social Security numbers were involved. (This 2026 incident is separate from Carnival's earlier 2019–2021 breaches.)
Confirmed Scope vs. the Attacker's Claim
It is important to separate what Carnival has confirmed from what the attacker claims:• Company-confirmed: Carnival is notifying approximately 5,995,277 people (about 6 million).
• Attacker claim (unverified): the ShinyHunters extortion group claimed responsibility and said it stole more than 8.7 million records. An independent analysis by Have I Been Pwned reported the leaked dataset contained about 7.5 million unique email addresses. The 8.7 million figure is a record count claimed by the attacker, not Carnival's confirmed count of people.
Reporting an attacker's record count as the number of victims is a common error; the reliable figure is the roughly 6 million people Carnival is notifying.
What the Lawsuits Allege
The class action complaints allege that Carnival failed to implement reasonable and industry-standard cybersecurity — such as multi-factor authentication, encryption, and employee training to resist social-engineering — and that this failure allowed the breach to happen. They also allege Carnival was too slow to notify affected people, pointing out that notifications went out in late May, weeks after the company detected the intrusion in April. The complaints bring claims that commonly appear in data-breach cases, including negligence, negligence per se, breach of implied contract, and unjust enrichment, with at least one case adding California Consumer Privacy Act and Unfair Competition Law claims.The plaintiffs seek damages and court orders requiring Carnival to strengthen its data security. As with any complaint, these are allegations only. A court has not ruled on whether Carnival's security was inadequate or whether it did anything wrong.
Is There a Carnival Settlement Yet?
No. These are lawsuits, not a settlement.That means:
• There is no settlement fund.
• There is no claim form.
• There is no payout, and no deadline to act on a settlement.
The only consumer benefit available right now is the complimentary credit monitoring (provided through TransUnion) that Carnival is offering to people it notified — which is breach-response identity protection, not a legal settlement, and requires no lawsuit "claim." If the litigation is ever resolved through a settlement, or a class is certified, a formal claims process with its own eligibility rules and deadlines would be announced separately. Be cautious of any website that claims you can "file a claim" for this matter today.
What Should Affected People Do Now?
If Carnival notified you, consider taking the usual data-breach precautions: enroll in the credit monitoring Carnival is offering, watch your bank and card statements for unfamiliar activity, and consider placing a fraud alert or a credit freeze with the major credit bureaus. Because passport and driver's license numbers were reportedly involved, be alert to identity-verification scams. Keep your breach notice in case a settlement or certified class later opens a claims process.This page is informational and is not legal advice. People with questions about their individual rights may want to speak with a licensed attorney in their state.
Frequently Asked Questions
Is there a Carnival data breach settlement yet?
No. Class action lawsuits have been filed, but there is no settlement, no fund, and no claim form. Carnival has not been found liable. The only current benefit is the credit monitoring offered to people Carnival notified.What information was exposed in the Carnival data breach?
Per Carnival's notice, the data included names, addresses, email addresses, phone numbers, dates of birth, and government-issued ID numbers such as driver's license and passport numbers, plus Holland America Mariner Society loyalty data. Carnival has not said Social Security numbers were involved.How many people were affected by the Carnival breach?
Carnival is notifying about 5,995,277 people (~6 million). The attacker, ShinyHunters, claimed more than 8.7 million records — an unverified figure; Have I Been Pwned found about 7.5 million unique emails in the data.Sources
• BleepingComputer — "Carnival Cruise confirms data breach affecting nearly 6 million people"• SecurityWeek — "Carnival Data Breach Exposed 6 Million People"
• Have I Been Pwned — Carnival breach analysis (~7.5M unique emails)
• Court records — Pottle v. Carnival (1:26-cv-22801), Cole v. Carnival (1:26-cv-22844), Vasquez v. Carnival (1:26-cv-22866), S.D. Fla.
Free settlement alerts
Get notified when new class actions open to claims
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.
For more class actions keep scrolling below.
Status
Breach Confirmed — Class Actions Filed
Lead Cases
Pottle / Cole / Vasquez v. Carnival Corporation
Case Numbers
1:26-cv-22801 · 1:26-cv-22844 · 1:26-cv-22866
Court
U.S. District Court, S.D. Florida
People Notified
~5,995,277
Breach Detected
On or about April 14, 2026
