Carnival Faces Three Lawsuits After Cyberattack Exposes 8.7 Million Records

Carnival detected unauthorized activity linked to a single user account in early April 2026, shut down the access, and notified law enforcement. The attacker group ShinyHunters is reported to have targeted the company, warning that stolen data would be released unless demands were met by April 21.

Three separate lawsuits were filed between April 22 and April 24 in the United States District Court for the Southern District of Florida. Plaintiffs Yvonne Vasquez, Zachary Pottle, and Ashley Cole allege Carnival did not implement adequate cybersecurity measures, including encryption of personal data and two‑factor authentication.

The complaints state that the breach exposed sensitive guest and corporate information across multiple Carnival brands, increasing long‑term risk of fraud and identity theft. Plaintiffs seek financial compensation, lifetime credit monitoring for affected individuals, and a court order requiring Carnival to strengthen its security posture.

What this means for Carnival and the travel industry is a renewed focus on credential protection and data encryption. The incident follows a 2020 breach that affected roughly 180,000 guests and resulted in a $1.25 million settlement and mandated security upgrades.

Mitigations - Enforce multi‑factor authentication on all privileged and remote access accounts (MITRE ATT&CK T1078). - Deploy UEBA solutions to detect anomalous login patterns from single compromised credentials. - Encrypt personally identifiable information at rest and in transit using AES‑256 or stronger. - Regularly review and rotate service account passwords; implement password‑less authentication where feasible. - Monitor for exfiltration attempts using network traffic analysis and DNS tunneling detection (MITRE ATT&CK T1041). - Apply the latest patches for known VPN and remote‑desktop vulnerabilities (e.g., CVE‑2023‑28252, CVE‑2023‑22515).

Watch for the outcome of the Florida lawsuits and any regulatory actions from the FTC or state attorneys general that could set new data‑protection benchmarks for the cruise sector.