TL;DR
Carnival Corporation has confirmed a data breach affecting nearly 6 million customers, including UK passengers of P&O Cruises and Cunard. ShinyHunters claimed responsibility. Affected UK customers have UK GDPR rights to information and can complain to the ICO.
Last reviewed 3 June 2026
Key facts
- Carnival Corporation disclosed the breach on 27 May 2026, with notification letters dated the same day.
- Nearly 6 million customers were affected. The ShinyHunters group claims to have stolen 8.7 million records.
- Affected brands include P&O Cruises, Cunard, Holland America Line, Princess Cruises, Carnival Cruise Line and Seabourn.
- Data exposed includes names, addresses, dates of birth, email addresses, phone numbers and government-issued ID such as passport and driver's licence numbers.
- The initial intrusion occurred on 14 April 2026 via a social engineering attack on an employee account.
What happened and what data was taken
Carnival Corporation, parent company of nine cruise brands including the UK-relevant P&O Cruises and Cunard, identified unauthorised activity on an employee account on 14 April 2026. The investigation, completed on 22 April 2026, determined that an attacker copied personal information from internal systems. Notification letters were dated 27 May 2026.
Categories of data exposed, per the notification, include customer names, addresses, dates of birth, email addresses, phone numbers and government-issued identification numbers including passport and driver's licence details. Researchers reviewing leaked samples reported records appear concentrated on the Holland America Mariner Society loyalty programme but include other brand customers.
The ShinyHunters extortion group has claimed responsibility, alleging it stole 8.7 million records with 7.5 million unique email addresses. Carnival has not publicly attributed the attack.
UK GDPR rights for affected customers
UK customers of P&O Cruises and Cunard whose data was processed by Carnival Corporation are protected under the UK GDPR and the Data Protection Act 2018. Where a personal data breach is likely to result in a high risk to rights and freedoms, the controller must inform affected individuals without undue delay.
An affected UK individual has the following rights:
Right to information: A clear description of what happened, what data was involved, and what is being done. The notification letter should provide this.
Right of access: To request a copy of all personal data the controller holds about them (a Subject Access Request).
Right to complain: Affected individuals can complain to the Information Commissioner's Office. The ICO assesses whether the controller met UK GDPR obligations and can issue fines and enforcement notices.
Right to compensation: Individuals who have suffered material or non-material damage can claim compensation through the courts. The UK courts have set a high threshold for non-material damage following the Lloyd v Google judgment.
Practical steps to take now
For UK customers who receive a Carnival notification or believe they may be affected:
Check whether the email address used to book is listed on the Have I Been Pwned database, which has added the Carnival breach. Reset passwords on any account that reused the breach email or password. Enable two-factor authentication on financial and email accounts.
Be alert to phishing emails referencing P&O Cruises or Cunard. The exposed data set, including names, dates of birth and ID document numbers, gives attackers raw material for highly personalised phishing.
If a passport number is exposed and the passport is used for international travel, consider whether to apply for a replacement passport. HM Passport Office charges a renewal fee but a replacement does not automatically follow a data breach.
Monitor bank statements for unfamiliar transactions. Credit reference agencies (Experian, Equifax, TransUnion) offer alerts for new credit applications in the individual's name.
Advisory: Carnival Corporation is offering free credit monitoring to some affected individuals through the notification letter. Read the notification carefully and follow the activation instructions if eligible.
Related guides
Disclaimer
This article is for general information only and does not constitute financial, legal, tax, insurance, or investment advice. Kael Tripton Ltd is registered with the Information Commissioner's Office (ICO ZC135439) as a data controller but is not authorised by the Financial Conduct Authority. Figures and rules are correct at time of publication and may change. Always check the primary source linked below before acting on any information, and seek advice from a qualified professional for your specific circumstances.
Sources
Frequently asked questions
Was P&O Cruises affected by the Carnival data breach?
Yes. P&O Cruises is part of Carnival Corporation. Carnival's notification covers customers across all its brands including P&O Cruises, Cunard, Holland America Line, Princess Cruises and others.
What data was stolen in the Carnival breach?
Carnival's notification lists names, addresses, dates of birth, email addresses, phone numbers and government-issued identification numbers including passport and driver's licence numbers.
Can I claim compensation if I was affected?
UK GDPR Article 82 allows individuals to claim compensation for material or non-material damage from a personal data breach. The court threshold for non-material damage is high following Lloyd v Google. Specialist data breach solicitors offer no-win-no-fee assessments.
Should I replace my passport if my passport number was exposed?
There is no automatic requirement to replace a passport after a data breach. A passport number alone does not generally enable identity fraud, but combined with other exposed data it can be a factor. HM Passport Office can advise on suspected misuse.
How do I complain to the ICO about Carnival?
Use the ICO complaints form at ico.org.uk/make-a-complaint. The ICO will assess whether Carnival met its UK GDPR obligations. The ICO cannot award individual compensation but can take enforcement action against the controller.
