The fact that Carnival Corporation‘s May 2026 data breach notice included a literal placeholder—a bracket in the letter that stated “your <> were obtained”—is instructive. That kind of impersonal communication says a lot for a company that has millions of travelers’ passport numbers, birthdates, and government-issued IDs. Not necessarily about incapacity. However, there are priorities.
Slater Vecchio, a Vancouver-based law firm, filed a proposed class-action lawsuit against Carnival Corporation in the Supreme Court of British Columbia on June 17, 2026, on behalf of Canadians impacted by a cybersecurity incident that was discovered on April 14 by the company’s own IT team. According to a parallel U.S. lawsuit filed around the same time, the breach may have exposed up to 8.7 million records and was purportedly carried out through social engineering, in which an unauthorized actor tricked a Carnival employee into granting limited system access.
The data that could be accessed is the type that, once stolen, doesn’t remain silent. Complete names, mailing addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, and sometimes passport numbers are all pieces of information that can be used for years in phishing scams or identity theft. According to reports, the attack was carried out by the extortion group ShinyHunters, which is notorious for stealing data and then threatening to publish it unless a ransom is paid. It is unknown to the general public whether Carnival interacted with them.
It is known that this is not Carnival’s first time at this specific rodeo, which is a key component of the Canadian lawsuit. Two ransomware attacks and a phishing incident were among the four distinct cybersecurity incidents that the company reported to the New York Department of Financial Services between 2019 and 2021. Despite those earlier incidents, the Canadian lawsuit claims that Carnival did not take sufficient precautions to protect consumer data. There is merit to that argument. Being breached once is one thing.
“Privacy rights in Canada carry quasi-constitutional weight, and the obligations they impose on companies like Carnival are not aspirational — they are mandatory,” stated Anthony Vecchio, a partner with Slater Vecchio LLP. It is more difficult to explain a pattern. The lawsuit claims that PIPEDA, the federal law governing how private sector organizations handle personal information, and a number of provincial privacy laws have been violated. Data protection is “a priority” for the company, according to a Carnival representative who told the media that additional security layers have been added. If the same assurances hadn’t been given following earlier incidents, that statement might have more weight.
In this instance, one particular detail sticks out, and it’s not a minor one. A free two-year subscription to TransUnion’s credit monitoring service was made available to affected Americans. Canadians weren’t. This is made clear in the lawsuit. Those impacted in British Columbia and elsewhere may interpret this discrepancy as a sign of their position in Carnival’s response planning, though there may be contractual or legal explanations for it. A resident of British Columbia filed the lawsuit after learning that her personal data was at stake. She’s probably not alone, and others who got similar notices might eventually be included thanks to the class-action structure.
From a distance, this case fits into a larger narrative about how big businesses continue to gather vast amounts of sensitive traveler data, such as passport information, loyalty program memberships, and health information, while their cybersecurity postures fall short of the risk. With its generic language about restricted system access and personalized data placeholders, Carnival’s breach notice gives recipients very little information about the real risk they now face. That ambiguity is truly unsettling for those whose passport numbers may have been copied by a ransomware group.
Carnival’s legal response and the extent of this lawsuit are still unknown. In Canada, class-action lawsuits proceed slowly. However, the filing itself is important because it places the burden of proof on a business that, by most accounts, ought to have strengthened its defenses long ago.
