Holland America Data Breach 2026: What Affected Travelers Need to Know

5 min read time
Headshot of U. Seth Ottensoser, a New York City-based mass arbitration lawsuit lawyer at Morgan & Morgan Reviewed by U. Seth Ottensoser, Attorney at Morgan & Morgan, on July 7, 2026.
Media image.

Key Takeaways

  • Holland America customers may have been affected by a 2026 Carnival Corporation data breach involving unauthorized access to company systems.
  • Exposed information may include names, contact details, dates of birth, passport numbers, and driver’s license numbers, depending on the individual.
  • Affected travelers should watch for phishing, monitor accounts, change reused passwords, and consider fraud alerts or credit freezes.
  • If you received a Holland America or Carnival Corporation breach notice, Morgan & Morgan may be able to help you understand your rights.

Injured? 

We can help.

For many travelers, a cruise vacation begins with trust. Passengers provide names, addresses, payment details, passport information, identification numbers, birth dates, contact information, and other personal details because they are required to book, board, and travel. When that information is exposed in a data breach, the consequences can follow travelers long after the trip is over.

Holland America Line customers may now have questions after Carnival Corporation, Holland America’s parent company, disclosed a 2026 data breach that may have exposed personal information belonging to certain travelers and customers. According to reports and public breach information, the incident involved unauthorized access to a portion of Carnival Corporation’s IT system after an employee account was compromised through social engineering.

Because Holland America Line is part of Carnival Corporation, Holland America customers should pay close attention to any breach notice they receive and take steps to protect their personal information. For affected travelers, the breach raises urgent questions: What information was exposed? How do I know if I was included? What should I do if my passport or driver’s license number was compromised? And can I seek compensation if my personal information was mishandled?

Here is what Holland America passengers and potentially affected travelers should know.

 

What Happened in the Holland America-Related Breach?

Carnival Corporation, the parent company of Holland America Line, disclosed a cybersecurity incident in 2026 after its IT security team identified unauthorized activity involving an employee’s account. The company said an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of the company’s IT system.

Social engineering is a common tactic used by cybercriminals to trick employees into giving up access, credentials, or sensitive information. Instead of breaking through a company’s systems by brute force, attackers may impersonate trusted parties, send phishing messages, or manipulate employees into taking actions that open the door to unauthorized access.

For Holland America customers, the concern is that personal information provided in connection with cruise bookings, loyalty accounts, travel documentation, or other cruise-related services may have been stored in systems connected to the broader Carnival Corporation incident.

Carnival Corporation has said it blocked the unauthorized activity and began working with third-party cybersecurity experts to investigate the incident and strengthen its systems. The company also began notifying affected individuals whose information may have been involved.

Those notices are important because the specific information exposed may vary from person to person.

 

What Information Was Exposed?

The information exposed in the breach may vary by individual. Public breach reporting has indicated that the impacted information may include names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers, including driver’s license numbers and passport numbers.

That combination of information can be serious. A name and email address alone may lead to phishing attempts. A date of birth, address, and government ID number may create a greater risk of identity theft, account fraud, travel-related scams, or attempts to impersonate the victim.

For Holland America travelers, passport information can be especially concerning. A passport number is not the same as a Social Security number, but it is still a sensitive government-issued identifier. When combined with a person’s name, date of birth, address, phone number, or travel history, it may be used in fraudulent schemes or targeted scams.

Loyalty program information may also be valuable to scammers. Holland America’s Mariner Society program, like many travel loyalty programs, may connect passengers to account details, travel history, rewards, promotions, contact information, and preferences. If scammers know that someone is a Holland America customer, they may be able to create more convincing emails, texts, or phone calls involving fake cruise offers, loyalty points, refunds, or account updates.

Affected individuals should read any notice they receive carefully to identify which data elements were involved in their specific case.

 

Who May Be Affected?

The breach may affect individuals whose personal information was stored in the impacted portion of Carnival Corporation’s systems. Because Holland America Line is part of Carnival Corporation, this may include current or former Holland America customers, travelers, loyalty members, or others whose information was collected in connection with Holland America cruise operations.

You may be affected if you booked a Holland America cruise, created an online account, joined or used the Mariner Society loyalty program, submitted passport or driver’s license information, purchased cruise-related services, or provided personal information connected to a Holland America trip.

The clearest sign that you may be affected is receiving a data breach notice from Carnival Corporation, Holland America Line, or a related entity. However, emails can be missed, filtered into spam folders, sent to outdated addresses, or overlooked. Holland America customers should review their inboxes carefully and monitor accounts for suspicious activity.

Passengers should also avoid assuming they are safe simply because they did not recently sail. Travel companies may retain personal information for years due to business, legal, regulatory, loyalty, tax, or operational reasons. A past Holland America customer may still have information stored in company systems.

 

Potential Risks to Travelers

The risks from a data breach depend on what information was exposed. In this case, the potential exposure of names, contact information, dates of birth, and government ID numbers may create several concerns.

First, affected individuals may face a higher risk of phishing. Cybercriminals may use stolen information to make emails, texts, or phone calls seem more legitimate. A scammer who knows your name, phone number, email address, or cruise connection may pretend to be Holland America, Carnival Corporation, a travel agency, a bank, a government agency, or a fraud department.

Second, affected individuals may face identity theft risks. Government-issued identification numbers, especially when combined with dates of birth and addresses, can be useful to criminals attempting to open accounts, bypass identity checks, or impersonate victims.

Third, travelers may be targeted with cruise-related scams. Holland America customers should be cautious of messages about refunds, future cruise credits, Mariner Society loyalty points, cabin upgrades, missed payments, account verification, passport problems, or urgent travel documentation issues. Scammers often use real events, including data breaches, to create fake urgency.

Fourth, exposed passport or driver’s license information may require additional steps. If your passport number or driver’s license number was exposed, you may need to contact the appropriate government agency or your state motor vehicle department to ask what protective steps are available.

Even if you have not seen fraud yet, that does not mean the information is harmless. Personal data can circulate, be sold, combined with other breached records, or used months after a breach becomes public.

 

Next Steps for Impacted Individuals

If you received a data breach notice related to Holland America Line or Carnival Corporation, start by reading it carefully. The notice should explain what happened, what information may have been involved, and whether the company is offering any protective services.

You should also monitor your financial accounts, credit reports, travel accounts, and loyalty accounts for suspicious activity. Watch for unauthorized charges, password reset emails, unfamiliar account activity, new credit inquiries, or messages asking you to verify personal information.

Consider placing a fraud alert or credit freeze with the major credit bureaus. A fraud alert asks creditors to take extra steps before opening new credit in your name. A credit freeze can help prevent new credit accounts from being opened without your authorization. A freeze must typically be placed separately with each major credit bureau.

If your Holland America account password was reused elsewhere, change it immediately. Even if the notice does not say passwords were exposed, reused passwords can create risk if scammers use breach-related information to target related accounts. Use a strong, unique password and enable multi-factor authentication where available.

If your passport information was exposed, contact the U.S. Department of State or the appropriate passport authority for your situation. If your driver’s license number was exposed, contact your state motor vehicle agency to ask whether a flag, replacement, or other protective step is available.

You should also save all records related to the breach. Keep the notice you received, screenshots of suspicious messages, records of fraudulent charges, credit monitoring alerts, time spent dealing with the issue, and any out-of-pocket expenses. These records may be important if you later pursue a legal claim.

 

Can Affected Holland America Customers Take Legal Action?

Companies that collect and store personal information have a responsibility to use reasonable measures to protect it. When a company fails to safeguard sensitive data, delays notice, or exposes consumers to identity theft and fraud, affected individuals may have legal rights.

Whether you may have a claim depends on several factors, including what information was exposed, how the breach occurred, whether the company used reasonable cybersecurity practices, how long the company took to notify affected individuals, whether you experienced fraud or identity theft, and what steps you had to take to protect yourself.

Compensation in data breach cases may include reimbursement for out-of-pocket losses, time spent addressing the breach, costs related to credit monitoring or identity protection, and other damages depending on the law and the facts of the case.

If you received a Holland America or Carnival Corporation data breach notice or believe your information may have been exposed, Morgan & Morgan may be able to help you understand your options. Our attorneys have experience handling data breach and privacy claims, and we fight for people whose sensitive information may have been put at risk.

 

Frequently Asked Questions

What information was exposed in the Holland America data breach?

The exposed information may vary by individual, but public breach reporting has indicated that the impacted data may include names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers, such as driver’s license numbers and passport numbers. If you received a notice, review it closely because it may identify the specific types of information involved in your case.

How do I know if I was affected?

The clearest way to know is to look for an official notice from Carnival Corporation, Holland America Line, or a related entity. You should check your email, spam folder, and any account connected to Holland America bookings or Mariner Society membership. If you previously booked a Holland America cruise, created an online account, submitted identification information, or provided personal details in connection with a cruise, you should remain alert and monitor your accounts.

Can I receive compensation after a data breach?

You may be able to seek compensation after a data breach, but it depends on the facts of your situation. Potential compensation may relate to financial losses, identity theft, fraudulent charges, time spent addressing the breach, costs for protective services, or other damages. A lawyer can help determine whether the breach caused harm and whether the company may be legally responsible for failing to protect your information.

Should I change my passwords?

Yes, it is a good idea to change the password for any Holland America-related account, especially if you used the same password on other websites. You should also change passwords for any account that uses the same or similar login credentials. Use unique passwords for each account and enable multi-factor authentication when possible. Be cautious of emails or texts asking you to “verify” your password or account information, as scammers may use the breach as an opportunity to impersonate Holland America or another trusted organization.

What should I do if my passport information was exposed?

If your passport number was exposed, take the issue seriously. Monitor for suspicious travel-related communications and be cautious of anyone claiming there is an urgent issue with your passport, cruise booking, refund, or travel documents. You may want to contact the U.S. Department of State or the appropriate passport agency to ask what steps are recommended for your situation. If you believe your passport has been used fraudulently or your identity has been stolen, report the issue to law enforcement and keep records of every step you take.

Morgan & Morgan May Be Able to Help

A data breach can leave you feeling exposed, frustrated, and unsure of what to do next. You trusted a cruise company with your personal information, and now you may be the one left watching your accounts, changing passwords, freezing credit, and worrying about identity theft.

If you received a Holland America or Carnival Corporation data breach notice, Morgan & Morgan may be able to help. Our data breach attorneys can review your situation, explain your rights, and determine whether you may be entitled to compensation.

 

Contact Morgan & Morgan today for a free, no-obligation case evaluation. Hiring one of our attorneys is easy, and you pay nothing up front. The Fee Is Free® unless we win.

Disclaimer
This website is meant for general information and not legal advice.