Texas Attorney General Ken Paxton (R) has launched an investigation into Carnival Corporation following a major data breach that exposed the personal information of approximately 6 million individuals, including more than 800,000 Texans.
Why is Texas investigating Carnival?
AG Paxton announced an investigation into Carnival Corporation after a cyber attack compromised sensitive consumer information in April 2026.
According to the Texas Attorney General's Office, Carnival reported that approximately 800,060 Texas residents were affected by the breach, which exposed personal information belonging to an estimated 6 million individuals worldwide.
The investigation will examine whether Carnival adequately protected consumer data and complied with Texas laws requiring companies to maintain reasonable security measures for sensitive information.
What information may have been exposed?
Carnival collects a wide range of personal information through its cruise brands and customer services.
According to the company, affected information may include:
- Names
- Contact information
- Dates of birth
- Payment information
- Passport information
- Driver's license information
- Health information
- Other identifying personal data
Carnival's privacy policy also states that, with customer permission, it may collect device content such as photos and contact information from mobile devices.
What is Paxton saying?
Attorney General Ken Paxton: "I am investigating the Carnival cruise line data breach to ensure that the company is held accountable for any illegal action and that Texans' private information is properly secured."
AG Paxton continued: "Data breaches are a serious matter, and my office is committed to protecting Texans' sensitive personal information."
Why does it matter?
The breach is one of the largest consumer data incidents reported this year and raises questions about how major travel and hospitality companies protect sensitive customer information.
Texas law requires businesses that collect personal information to implement reasonable security procedures and notify affected consumers when breaches occur.
