Attorney General Ken Paxton announced an investigation into Carnival Corporation following a significant April 2026 data breach that reportedly exposed the personal information of approximately six million individuals, including more than 800,000 Texas residents. According to the Texas Attorney General’s Office, the breach resulted from a social-engineering attack that compromised an employee account and provided unauthorized access to Carnival’s systems.
The Attorney General’s investigation will focus on whether Carnival implemented reasonable security measures to protect consumer data and whether the company complied with Texas legal requirements governing the safeguarding of sensitive personal information. The Office has already issued a Civil Investigative Demand (CID) seeking information regarding Carnival’s cybersecurity practices and incident response efforts.
The incident is notable because of both its scale and the breadth of information potentially exposed. Carnival’s records reportedly contain a wide range of personal data, including names, contact information, dates of birth, payment card information, passport details, driver’s license information, and health-related information. The company’s privacy disclosures also indicate that certain device content, such as photographs and contact lists, may be collected with consumer consent.
The investigation underscores the increasingly aggressive enforcement posture of state regulators toward organizations that experience major cybersecurity incidents. Texas law requires businesses that maintain sensitive personal information to implement reasonable procedures designed to protect that information from unauthorized access and misuse. As state attorneys general continue to prioritize privacy and cybersecurity enforcement, companies that collect large volumes of consumer data should expect heightened scrutiny regarding their security controls, employee training programs, vendor oversight, and breach response procedures.
For businesses operating in Texas, the Carnival investigation serves as a reminder that a successful social-engineering attack may not be viewed merely as a criminal act by a third party. Regulators are increasingly examining whether the affected organization maintained adequate safeguards to prevent foreseeable threats and whether its security program was reasonable given the sensitivity and volume of the data collected.
This type of breach highlights the continuing need for companies to maintain data privacy policies, monitoring processes, response procedures, and employee training. The risks are real, and they are not going away.
This matter will be closely watched by privacy professionals and compliance counsel as another example of state-level enforcement activity focused on cybersecurity governance and consumer data protection. If you need an evaluation of your data privacy policies and/or training materials, Troutman Amin LLP is here and ready to assist.