Carnival Cruise Data Breach Lawsuit, Were You Affected?  Hackers Stole 8.7 Million Customer Records in April— Pottle v. Carnival Corp., Case No. 1:26-cv-22801, U.S. District Court, S.D. Fla.

Carnival Corporation is facing multiple class action lawsuits — including Pottle v. Carnival Corp., Case No. 1:26-cv-22801, filed in the U.S. District Court for the Southern District of Florida — alleging the cruise giant failed to protect and timely notify customers after hackers stole roughly 8.7 million personal records in April 2026. If you’ve booked a Carnival, Holland America, Princess, or any other Carnival-owned cruise in recent years, your information may have been taken.

Carnival Corporation Data Breach Lawsuit — Key Facts

Field	Detail
Lawsuit Filed	April 22, 2026 (first filing)
Defendant	Carnival Corporation & plc
Alleged Harm	Failure to protect and timely notify customers of a data breach
Specific Law Alleged	State and federal consumer protection laws; negligence; breach of implied contract; unjust enrichment
Who Is Affected	Current and former customers of Carnival Corporation brands, including Holland America’s Mariner Society loyalty program members
Court & Case Number	U.S. District Court, S.D. Fla. — Case No. 1:26-cv-22801 (Pottle); No. 1:26-cv-22866 (Vasquez); No. 1:26-cv-22844 (Cole)
Current Court Stage	Active litigation — cases recently filed, no certification yet
Lead Plaintiff Deadline	TBD — no court order issued yet
Settlement Status	No settlement — active lawsuit only
Law Firms Involved	Milberg PLLC (Pottle); additional counsel for Vasquez and Cole
Last Updated	May 26, 2026

Who Is Carnival Corporation and Why Are They Facing a Data Breach Lawsuit?

Carnival Corporation operates nine cruise brands across 95 ships, including Carnival Cruise Line, Holland America, Princess Cruises, Costa Cruises, Cunard, AIDA Cruises, P&O Cruises, and Seabourn — making it the world’s largest cruise company. Every time a customer books a cruise, they hand over names, passport numbers, dates of birth, and financial details. That data sat on Carnival’s systems — and according to three separate class action lawsuits, it was not protected well enough.

What Did Carnival Corporation Do That Put 8.7 Million Customers at Risk?

The hacking group ShinyHunters listed Carnival Corporation on its “pay or leak” portal on April 18, 2026, claiming the theft of over 8.7 million records containing personally identifiable information along with large volumes of internal corporate data. The attackers issued a deadline of April 21, 2026, warning that failure to engage would result in public data exposure and additional disruptive actions.

Carnival confirmed it detected suspicious activity tied to a phishing incident involving a single user account and said it moved quickly to block the unauthorized activity. One employee clicked a fake link, and that was enough.

The following week, ShinyHunters published the data publicly. The 8.7 million records contained 7.5 million unique email addresses, and the data appears tied to the Mariner Society loyalty program run by Holland America, a Carnival subsidiary. Exposed information included names, dates of birth, genders, and loyalty program status data.

For context on how similar data breach cases develop, read our coverage of the Citizens Bank data breach class action lawsuit filed in April 2026 and the Betterment data breach lawsuits involving ShinyHunters — the same hacking group behind this Carnival attack.

All three plaintiffs allege that their sensitive personal information was not encrypted, which would have made it unreadable to the hackers. Cole and Vasquez further claim that additional safeguards such as two-factor authentication were not in place, although those details have not been publicly confirmed by Carnival.

This is not Carnival’s first breach. Prior incidents include a May 2019 phishing attack on employee email accounts, a March 2020 data breach, and an August 2020 ransomware attack. Carnival previously reached a $1.25 million multistate settlement with 45 states tied to a 2019 breach — a deal that required the cruise line to strengthen its cybersecurity practices. Plaintiffs in the current lawsuits argue those improvements were clearly not enough.

Related article: Mercedes-Benz Recalls 144,049 Vehicles Over Instrument Panel Display Failure Were You Affected?

Are You Part of the Carnival Corporation Data Breach Class Action?

Here is exactly how to know if this lawsuit may include you.

You may be affected if:

• You are a current or former customer of any Carnival Corporation brand, including Carnival Cruise Line, Holland America, Princess Cruises, Costa, Cunard, AIDA, P&O Cruises, or Seabourn
• You are or were a member of Holland America’s Mariner Society loyalty program
• You booked a cruise with any Carnival-owned brand and provided your name, email address, date of birth, or passport details
• You received a breach notification from Carnival or its subsidiaries at any point after April 2026

You likely do NOT qualify if:

• You have never booked or cruised with any Carnival Corporation brand
• Your only connection to Carnival is as a stockholder (this is a consumer, not a securities, lawsuit)

Carnival Customers Outside Florida — Are You Still Covered?

Vasquez brings this action on behalf of herself and a nationwide class of current and former customers who entrusted the company with their private data as a condition of receiving travel services. Because all three lawsuits were filed in federal court in the Southern District of Florida, the class is expected to be nationwide. It does not matter whether you live in California, Tennessee, Texas, or any other state — if you were a Carnival customer, you may be included.

If you are unsure whether you are part of the Carnival data breach class action, a free consultation with a data privacy attorney can help you understand your situation before any deadlines are set by the court.

What Are Carnival Customers Asking the Court to Award in the 2026 Data Breach Lawsuit?

The lawsuits seek financial compensation, free credit monitoring for life for all class members, and a court-ordered overhaul of Carnival’s data security practices. Plaintiffs bring causes of action for negligence, breach of implied contract, and unjust enrichment, and also seek a declaratory judgment and injunctive relief to compel Carnival to adopt adequate security measures.

What Could Carnival Customers Receive If the 2026 Data Breach Case Settles?

No money is available right now. No claim form exists. These lawsuits were just filed in late April 2026 and are in the earliest stages of litigation.

If a settlement is eventually reached, the amount would depend on the number of class members, the strength of evidence, what courts certify, and what both sides negotiate. Data breach class actions of this type typically take two to four years to reach a settlement. For reference, Carnival’s prior 2019 breach ultimately resulted in a $1.25 million state attorneys general settlement — but consumer class action recoveries can vary widely depending on the facts and the size of the class.

Consult a data privacy attorney if you want a realistic assessment of your individual situation.

What Should Carnival Cruise Customers Do Right Now?

1. Understand you are likely automatically included. Most class members do not need to file anything at this stage. If the case moves forward and a class is certified, you will be notified.
   
2. Save every piece of documentation you have. Pull together any booking confirmations, loyalty program emails, breach notification letters, and account statements from Carnival or Holland America. These become important evidence.
   
3. Place a credit freeze or fraud alert now. Your name, date of birth, email address, and loyalty program data may already be circulating online. Contact the three credit bureaus — Equifax, Experian, and TransUnion — and place a freeze at no cost to you.
   
4. Watch for phishing attempts. With 7.5 million email addresses now publicly leaked, expect an increase in scam emails pretending to be from Carnival, travel agencies, or banks. Do not click links in unexpected emails.
   
5. Monitor the court docket. The case is active in the U.S. District Court for the Southern District of Florida. Track case developments through PACER at pacer.gov using case numbers listed in the Quick Facts table above.
   
6. Ask about your right to bring an individual claim. If your losses are substantial — identity theft, financial fraud, significant out-of-pocket costs — a data privacy attorney can assess whether an individual lawsuit makes more sense for your specific situation.

Carnival Corporation Data Breach Lawsuit Timeline

Milestone	Date
Breach allegedly occurs	April 18, 2026
ShinyHunters lists Carnival on extortion portal	April 18, 2026
ShinyHunters payment deadline to Carnival	April 21, 2026
Stolen data published publicly by hackers	Week of April 21, 2026
Pottle v. Carnival Corp. filed (Case No. 1:26-cv-22801)	April 22, 2026
Vasquez v. Carnival Corp. filed (Case No. 1:26-cv-22866)	April 28, 2026
Cole v. Carnival Corp. filed (Case No. 1:26-cv-22844)	April 28, 2026
Class certification hearing	TBD — no scheduling order yet
Lead plaintiff deadline	TBD — pending court order
Expected resolution	TBD — data breach class actions typically take 2–4 years

Carnival Data Breach Lawsuit — Frequently Asked Questions, No. 1:26-cv-22801

Is there a class action lawsuit against Carnival Corporation for the 2026 data breach?

 Yes. Three separate class action lawsuits have been filed in the U.S. District Court for the Southern District of Florida — Pottle (Case No. 1:26-cv-22801), Vasquez (Case No. 1:26-cv-22866), and Cole (Case No. 1:26-cv-22844) — all alleging Carnival failed to protect customer data and failed to provide timely breach notifications after the April 18, 2026 incident.

Do I need to do anything right now to be included in the Carnival data breach class action? 

No immediate action is required for most people. If a class is certified by the Southern District of Florida court, affected customers will be notified. What you should do now is preserve your records, place a credit freeze, and stay alert to phishing emails.

When will the Carnival data breach case settle? 

There is no settlement at this time. The lawsuits were just filed in late April 2026. Data breach class actions of this type typically take two to four years to resolve through a settlement or trial verdict.

Can I file my own lawsuit against Carnival for the 2026 data breach instead of joining the class? 

Yes, you have that option. Individual lawsuits are more expensive and complex, but they may make sense if you suffered significant documented losses — such as proven identity theft or major financial fraud — that exceed what a class settlement would typically cover. A data privacy attorney can help you weigh that decision.

How will I find out if the Carnival lawsuit settles?

 The settlement administrator (not yet appointed) will send notice to class members. You can also monitor the PACER docket at pacer.gov for any case developments using the case numbers above, or check back at AllAboutLawyer.com for updates.

What specific laws does Carnival allegedly violate in the 2026 data breach lawsuit?

 The complaints allege negligence (failure to implement adequate cybersecurity), breach of implied contract (customers paid for services with the understanding their data would be protected), and unjust enrichment. Some complaints also cite violations of state and federal consumer protection laws. The cases are pending in federal court under diversity jurisdiction.

How much could Carnival customers receive from a future data breach settlement?

 No money is available yet, and no claim form exists. If a settlement is eventually reached, individual payouts would depend on how many people file claims, the strength of evidence, and what both sides agree to. Carnival’s 2019 breach resulted in a $1.25 million multistate settlement — but class action consumer recoveries can vary widely. Consult a data privacy attorney for an honest assessment of your situation.

Was this Carnival’s first data breach?

 No. Carnival has experienced multiple prior cybersecurity incidents, including a 2019 phishing breach of employee email accounts and a 2020 ransomware attack. The 2019 breach resulted in a $1.25 million settlement with 45 state attorneys general that required Carnival to improve its data security — improvements that plaintiffs in the current lawsuits argue were not sufficient.

Sources Used in This Carnival Corporation Data Breach Article

• Cruise Hive — Carnival Served With Multiple Lawsuits Over Major Data Breach, April 2026: https://www.cruisehive.com/carnival-served-with-multiple-lawsuits-over-major-data-breach/207781

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against official court filings, CyberInsider, CruiseHive, Have I Been Pwned, and TravelPulse on May 26, 2026. Last Updated: May 26, 2026.

This article is for informational purposes only and does not constitute legal advice. For advice specific to your situation, consult a qualified attorney.