Holland America Data Breach 2026: Could Your Personal Information Be at Risk?

5 min read time
Headshot of U. Seth Ottensoser, a New York City-based mass arbitration lawsuit lawyer at Morgan & Morgan Reviewed by U. Seth Ottensoser, Attorney at Morgan & Morgan, on July 7, 2026.
Media image.

Key Takeaways

  • Holland America customers may have been affected by a 2026 Carnival Corporation breach involving unauthorized access through a compromised employee account.
  • Exposed information may include names, contact details, dates of birth, passport numbers, and driver’s license numbers, depending on the individual.
  • Affected travelers should monitor accounts, change reused passwords, watch for phishing, and consider fraud alerts or credit freezes.
  • If you received a Holland America or Carnival Corporation breach notice, Morgan & Morgan may be able to help you pursue compensation.

Injured? 

We can help.

When travelers book a cruise, they often provide far more than basic contact information. A cruise line may collect names, birth dates, home addresses, phone numbers, email addresses, passport numbers, driver’s license numbers, payment information, loyalty account details, emergency contacts, travel preferences, and records tied to past or upcoming trips.

But when that data is exposed in a breach, travelers may be left dealing with the consequences.

Holland America Line customers may now have questions after Carnival Corporation, Holland America’s parent company, disclosed a 2026 cybersecurity incident that may have exposed personal information belonging to affected individuals. According to Carnival Corporation’s public notice, the breach involved unauthorized access to a limited portion of company systems after an employee account was compromised through social engineering.

For Holland America passengers, the concern is not just that a large cruise company was breached. It is that cruise lines often hold highly detailed traveler information, including government-issued identification numbers, contact details, loyalty account information, and travel-related records.

For affected travelers, the question is simple and serious: Could my personal information be at risk?

Here is what Holland America customers and other potentially impacted individuals should know.

 

Overview of the Holland America-Related Data Breach

Carnival Corporation, the parent company of Holland America Line, disclosed that its IT security team identified unauthorized activity involving an employee’s account on April 14, 2026. The company said an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of Carnival Corporation’s IT system.

Social engineering attacks are designed to manipulate people, not just technology. In many cases, cybercriminals use phishing emails, fake login pages, impersonation, or urgent requests to trick employees into giving up access or credentials. Once inside a system, attackers may search for files, databases, or records containing sensitive personal information.

Carnival Corporation has said it quickly blocked the unauthorized activity and began working with third-party cybersecurity experts to investigate what happened. The company later determined that personal information had been illegally copied.

Because Holland America Line is part of Carnival Corporation, Holland America customers should pay close attention to any official breach notice they receive from Carnival Corporation, Holland America Line, or a related entity. Reports have also linked allegedly leaked records to Holland America Line’s Mariner Society loyalty program, which may raise additional concerns for customers who have sailed with Holland America or participated in its loyalty program.

Individual notices are especially important because the information involved may vary from person to person.

 

What Information Was Exposed?

The information exposed in the breach may vary by individual. Carnival Corporation’s public notice stated that the impacted information may include names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers, including driver’s license numbers and passport numbers.

This type of information can be valuable to cybercriminals. A name and email address can be used to send phishing messages. A phone number can be used for scam calls or text messages. A home address and date of birth can help criminals build a fuller profile of a person. A passport number or driver’s license number can create additional risks because those are government-issued identifiers that may be used in identity verification.

For Holland America travelers, loyalty information may also be a concern. If a scammer knows that someone is a Holland America customer or Mariner Society member, they may be able to create more convincing messages involving fake rewards, loyalty points, cruise credits, cabin upgrades, or account verification requests.

The more information a criminal has, the easier it may be to create a believable scam. A generic phishing email is one thing. A message that includes your name, contact information, cruise connection, or loyalty account language can be much more convincing.

That is why impacted individuals should not dismiss the breach simply because they have not yet seen suspicious activity. Personal information exposed in a breach may be stored, sold, combined with information from other breaches, or used later.

 

Who May Be Affected?

Reports citing state breach filings indicate that nearly 6 million people may have been affected by the Carnival Corporation data breach. Because Holland America Line is a Carnival Corporation brand, potentially affected individuals may include current or former Holland America customers, cruise passengers, loyalty members, or others whose information was stored in impacted company systems.

You may be affected if you received an official breach notice. You may also want to stay alert if you previously booked a Holland America cruise, traveled with Holland America Line, created an online account, participated in the Mariner Society loyalty program, submitted passport or driver’s license information, or provided personal details in connection with a Holland America trip.

Receiving a notice is the clearest sign that the company believes your information may have been involved. However, not every traveler sees a notice right away. Emails can be missed, filtered into spam folders, sent to old addresses, or overlooked. If you believe you may have had information stored with Holland America or Carnival Corporation, it is worth reviewing your email, checking for official breach communications, and monitoring your accounts.

Passengers should also avoid assuming they are safe simply because they did not recently sail. Travel companies may retain personal information for years due to business, legal, regulatory, tax, loyalty, or operational reasons. A past Holland America customer may still have information stored in company systems.

 

Potential Identity Theft Risks

A data breach does not always lead to identity theft, but it can increase the risk. When personal information is exposed, cybercriminals may use it in different ways depending on what they obtained.

One major risk is phishing. Scammers may send emails or text messages pretending to be Holland America, Carnival Corporation, a travel agency, a bank, a credit monitoring provider, or a government agency. These messages may claim there is a problem with your refund, booking, passport, loyalty account, payment method, or breach enrollment. The goal may be to get you to click a link, provide additional information, or download malware.

Another risk is account takeover. If criminals have your email address and other identifying details, they may try to access travel accounts, loyalty programs, payment accounts, or other online services. This risk is greater if you reuse passwords across accounts.

There may also be identity verification risks. Driver’s license numbers and passport numbers can be used in attempts to impersonate someone, bypass verification checks, or commit fraud. Even if a passport number alone is not enough to steal an identity, it can become more dangerous when combined with a name, date of birth, address, and phone number.

Holland America customers may also face travel-specific scams. A scammer may send a fake message about Mariner Society points, an exclusive loyalty credit, a refund, a future cruise credit, a cabin upgrade, missing travel documents, or a payment issue. Because those topics are common in the cruise industry, they may not seem suspicious at first.

Affected individuals may also face long-term uncertainty. Unlike a credit card number, which can usually be canceled and replaced quickly, personal identifiers such as dates of birth and government ID information are harder to change. That can leave victims monitoring for suspicious activity long after the breach notice arrives.

 

Steps Holland America Travelers Should Take

If you received a Holland America or Carnival Corporation breach notice, read it carefully and save a copy. The notice may explain what happened, what information was involved in your case, and whether you are eligible for protective services. Carnival Corporation has said it is offering eligible U.S. individuals two years of complimentary credit monitoring through TransUnion.

Next, change the password for your Holland America-related account. If you used the same password anywhere else, change those passwords too. Reused passwords can turn one breach into several compromised accounts. Use strong, unique passwords and enable multi-factor authentication where available.

Monitor your bank accounts, credit card statements, credit reports, travel accounts, and loyalty programs for suspicious activity. Watch for unauthorized charges, unfamiliar login attempts, missing loyalty points, password reset emails, suspicious account changes, or messages asking you to verify personal information.

If sensitive identifying information was exposed, consider placing a fraud alert or credit freeze with the major credit bureaus. A fraud alert asks creditors to take extra steps before opening new credit in your name. A credit freeze can help prevent new credit accounts from being opened in your name without your authorization.

If your passport number was exposed, consider contacting the U.S. Department of State or the appropriate passport authority to ask what steps may be recommended. If your driver’s license number was exposed, contact your state motor vehicle agency to ask whether any protective options are available.

Be cautious of any message asking you to verify personal information, pay a fee, claim a refund, enroll in credit monitoring, update your Mariner Society account, or resolve an urgent travel issue. Instead of clicking links in unexpected emails or texts, go directly to the official company website or use contact information from the official notice.

Finally, keep records. Save breach notices, suspicious messages, fraud alerts, account statements, credit reports, receipts, and notes documenting the time you spend responding to the incident. If you later pursue a legal claim, those records may help show how the breach affected you.

 

Frequently Asked Questions

How many people were affected by the Holland America-related breach?

Reports citing state breach filings indicate that nearly 6 million people may have been affected by the Carnival Corporation data breach. Because Holland America Line is part of Carnival Corporation, Holland America customers may be among those affected. Reports have also linked allegedly leaked data to Holland America Line’s Mariner Society loyalty program. The exact impact may vary by individual, so affected customers should review any official notice they receive carefully.

What information was exposed?

Carnival Corporation has stated that the impacted information may include names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers, such as driver’s license numbers and passport numbers. The company has also said that the information involved varies by individual. That means one person’s notice may list different exposed data than another person’s notice. If your passport or driver’s license number was involved, you may want to take additional protective steps.

How do I know if I was impacted?

The clearest way to know is to look for an official notice from Carnival Corporation, Holland America Line, or a related entity. You should check your email, spam folder, and any account connected to Holland America bookings or Mariner Society membership. If you received a notice, save it and follow the instructions carefully. Even if you did not receive a notice, you should remain alert if you previously provided personal information to Holland America or one of Carnival Corporation’s cruise brands.

Can I receive compensation?

You may be able to pursue compensation after a data breach, depending on the facts of your situation. Potential claims may depend on what information was exposed, whether the company took reasonable steps to protect your data, whether you experienced fraud or identity theft, and what time or money you spent responding to the breach. Compensation may include reimbursement for out-of-pocket losses, time spent addressing the breach, credit monitoring costs, or other damages available under the law.

What should I do next?

Start by reading and saving any breach notice you received. Change passwords for Holland America-related accounts and any other accounts where you reused the same password. Monitor financial accounts, credit reports, cruise accounts, and loyalty accounts for suspicious activity. Consider a fraud alert or credit freeze if sensitive identifying information was exposed. If your passport or driver’s license number was involved, contact the appropriate government agency to ask what protective options may be available. You should also speak with an attorney if you believe your personal information was put at risk.

Morgan & Morgan May Be Able to Help

A data breach can leave you with more questions than answers. You may not know exactly who has your information, how it may be used, or what steps you need to take to protect yourself. You may also be wondering whether Carnival Corporation or Holland America Line could be held responsible for failing to safeguard your personal data.

If you received a Holland America or Carnival Corporation data breach notice, Morgan & Morgan may be able to help. Our data breach attorneys can review your situation, explain your legal rights, and determine whether you may be entitled to compensation.

 

Contact Morgan & Morgan today for a free, no-obligation case evaluation. Hiring one of our attorneys is easy, and you pay nothing up front. The Fee Is Free® unless we win.

Disclaimer
This website is meant for general information and not legal advice.