AUSTIN, Texas — Texas Attorney General Ken Paxton announced Monday that his office is investigating Carnival Corporation following an April 2026 data breach that exposed the personal information of an estimated 6 million individuals, including more than 800,000 Texans.
The attorney general’s office said the breach affected 800,060 Texas consumers. Carnival Cruise Line operates cruises from Galveston, one of its major U.S. ports.
According to Carnival Corporation, its information technology security team detected unauthorized activity involving an employee account on April 14. The company said an unauthorized individual used a social engineering scheme to deceive an employee and gain access to a limited portion of its IT system.
Carnival said it blocked the unauthorized activity after discovering the incident.
The company determined on April 22 that an unauthorized party had copied personal information. It publicly disclosed the breach on May 27.
Carnival said the compromised information included names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers, including driver’s license and passport numbers.
Paxton’s office issued a Civil Investigative Demand to determine whether Carnival adequately protected consumer data and complied with state requirements for safeguarding personal information.
The attorney general’s office noted that Carnival submitted its notification to Texas authorities 44 days after the breach occurred.
“I am investigating the Carnival cruise line data breach to ensure that the company is held accountable for any illegal action and that Texans’ private information is properly secured,” Paxton said in a statement.
“Data breaches are a serious matter, and my office is committed to protecting Texans’ sensitive personal information,” he added.
Carnival said it is working with third-party cybersecurity experts as part of its response to the incident. The company is also offering two years of complimentary credit monitoring through TransUnion to affected U.S. residents.
“We deeply regret this incident and any concern it may cause and have sent notification letters to individuals whose data was impacted,” Carnival said in its breach notice.
A Carnival Corporation spokesperson said the company will cooperate with the attorney general’s investigation and provide any requested information.
