Holland America Data Breach: Are Cruise Travelers Becoming a Bigger Target?

4 min read time
Headshot of U. Seth Ottensoser, a New York City-based mass arbitration lawsuit lawyer at Morgan & Morgan Reviewed by U. Seth Ottensoser, Attorney at Morgan & Morgan, on July 7, 2026.
Media image.

Key Takeaways

  • Holland America travelers may face heightened data risks because cruise lines collect identity, passport, payment, loyalty, and travel information.
  • Stolen cruise data can be used for phishing, identity theft, account takeovers, fake loyalty offers, and travel-related scams.
  • Cruise line breaches can expose not just who someone is, but how to contact them, what documents they use, and how they travel.
  • If your information was exposed in a Holland America or Carnival Corporation breach, Morgan & Morgan may be able to help you pursue compensation.

Injured? 

We can help.

Travel has always required trust. To book a cruise, board a ship, travel internationally, join a loyalty program, or purchase excursions, passengers may need to hand over names, addresses, dates of birth, passport numbers, driver’s license numbers, phone numbers, email addresses, payment information, emergency contacts, travel preferences, and other personal details.

That information helps cruise lines operate. It also makes them attractive targets for hackers.

Holland America Line customers may now be asking difficult questions after Carnival Corporation, Holland America’s parent company, disclosed a 2026 cybersecurity incident involving unauthorized access to company systems. Reports have also linked allegedly leaked records to Holland America Line’s Mariner Society loyalty program, raising additional concerns for travelers who trusted the cruise line with their personal information.

For passengers, the issue is bigger than one breach. Cruise lines and travel companies collect unusually detailed information about their customers. That data can reveal who someone is, how to contact them, where they have traveled, what documents they use, and sometimes when they may be away from home. In the hands of cybercriminals, those details can be used for identity theft, phishing, account takeovers, fake travel offers, and other scams.

So, are Holland America customers and other cruise travelers becoming bigger targets? The short answer is yes. The travel industry’s data is valuable, and cybercriminals know it.

 

Why Travel Companies Are Targeted

Travel companies hold a particularly valuable kind of data because it connects identity, money, location, and movement.

A hacker who steals only an email address may be able to send phishing messages. But a hacker who has a traveler’s name, date of birth, phone number, home address, passport number, loyalty account details, and cruise connection can create scams that feel much more personal and convincing.

Cruise lines may be especially attractive targets because of the amount and variety of information they collect. A single cruise brand may manage millions of passenger records, online accounts, reservations, payment systems, loyalty programs, onboard purchase histories, travel documents, excursion bookings, customer service records, and marketing databases.

Holland America Line, like other cruise companies, operates within a much larger travel ecosystem. Passengers may interact with booking platforms, customer service teams, port authorities, travel agents, excursion operators, payment processors, loyalty programs, and third-party vendors. Every system that stores or transmits personal information may create another potential access point for cybercriminals.

Attackers also understand that travel creates urgency. If a traveler receives a message saying there is a problem with a booking, passport, refund, loyalty account, cabin upgrade, or boarding document, they may act quickly. Scammers often rely on that urgency to get people to click links, share information, or make payments before verifying whether the message is real.

 

Types of Traveler Data Collected

Cruise lines and travel companies may collect a wide range of personal information from customers. Some of it is obvious. Some of it may not be top of mind until a breach happens.

Basic contact information may include a traveler’s name, home address, phone number, and email address. Identity information may include dates of birth, passport numbers, driver’s license numbers, and other government-issued identification details. Cruise lines may also collect payment information when customers book trips, reserve packages, purchase excursions, or add onboard spending accounts.

Loyalty programs can create another layer of personal data. Holland America’s Mariner Society program may connect passengers to rewards status, sailing history, offers, account preferences, and contact details. If loyalty account information is exposed, scammers may use it to make fake messages feel more legitimate. A message about “Mariner Society points,” “exclusive loyalty credits,” or “account verification” may seem believable to someone who has actually traveled with Holland America.

Travel companies may also collect information about travel companions, emergency contacts, accessibility needs, dietary preferences, and special requests. In some cases, cruise-related records may reveal past trips, upcoming plans, destinations, departure dates, and customer preferences.

That combination matters. A breach involving only an email address is concerning, but a breach involving identity documents, loyalty details, contact information, and travel records can create more serious risks. It may expose not just who someone is, but how to target them.

 

Cybersecurity Challenges in the Travel Industry

The travel industry faces cybersecurity challenges that are different from many other sectors. Cruise lines, airlines, hotels, and travel platforms often operate across countries, time zones, regulatory systems, and vendor networks. They must support booking engines, mobile apps, payment systems, loyalty programs, customer service tools, onboard technology, port systems, marketing databases, and third-party integrations.

That complexity can make cybersecurity harder.

A company may have strong protections in one area but weaker controls in another. A breach may begin with a phishing email, a compromised employee account, a vendor platform, an outdated system, or an exposed database. Once attackers gain access, they may look for the most valuable information: identity documents, contact information, payment records, loyalty account data, reservation details, or customer service files.

Social engineering is a major concern. Instead of hacking directly through technical defenses, attackers may trick employees into giving up credentials, approving access, or clicking malicious links. These attacks target people as much as systems. A single compromised account can become the doorway to larger amounts of sensitive data.

For cruise lines, cybersecurity is not just an internal technology issue. It is a customer trust issue. Passengers trust cruise companies with their safety while traveling. Increasingly, they also need to trust them with their digital identity before, during, and after the trip.

 

Past Travel Industry Breaches Show the Pattern

The Holland America-related concerns are part of a broader pattern across the travel and hospitality industry.

Hotels, airlines, booking platforms, and cruise companies have all faced cybersecurity incidents involving customer information. One of the best-known examples involved Marriott and Starwood, where personal information connected to hundreds of millions of guests was exposed, including names, contact information, passport details, loyalty account information, reservation data, and other personal records.

Airlines have also experienced major breaches. In recent years, airline incidents have exposed customer names, email addresses, phone numbers, dates of birth, frequent flyer numbers, and other account details. That type of data can be used for phishing, impersonation, loyalty fraud, and account takeover attempts.

Cruise lines are part of this same risk landscape. They collect many of the same data points as hotels and airlines, plus information tied to international travel, onboard accounts, shore excursions, passenger manifests, and loyalty programs. For cybercriminals, that data can be useful long after a cruise ends.

The pattern is clear: travel data has become valuable. Hackers know it. Consumers are beginning to realize it. Companies that collect that data should be expected to protect it.

 

Consumer Privacy Concerns for Holland America Travelers

For Holland America customers, the privacy concerns may feel especially personal. A cruise booking is not just a transaction. It may reveal who is traveling, when they are leaving, where they are going, which documents they use, and how they can be reached.

That information can create several risks.

A scammer may use stolen data to send a fake refund email, loyalty points notice, cabin upgrade offer, or account verification request. A criminal may try to use exposed passport or driver’s license information for identity-related fraud. A hacker may combine a traveler’s email address, date of birth, and phone number with information from other breaches to build a more complete identity profile.

Passengers may also face scams that sound highly specific to Holland America. A fraudulent message could reference Mariner Society points, future cruise credits, onboard spending credits, special offers, cruise documents, or payment issues. The more personal the message feels, the more likely a traveler may be to trust it.

Data breaches also shift the burden onto consumers. After a breach, affected travelers may need to monitor accounts, change passwords, freeze credit, enroll in monitoring, report suspicious messages, replace documents, and spend time trying to understand what happened. 

Even when a company offers credit monitoring, that does not erase the stress, inconvenience, or long-term uncertainty created by exposed personal information.

 

How Travelers Can Reduce Their Risk

Holland America customers and other cruise travelers can take steps to reduce their risk after a data breach.

First, read any notice carefully. The notice may explain what happened, what information was involved, and whether protective services are being offered. Save the notice in case you need it later.

Second, change the password for any Holland America-related account. If you used the same password on other websites, change those passwords too. Password reuse can allow criminals to access multiple accounts after one incident. Use strong, unique passwords and enable multi-factor authentication wherever available.

Third, monitor financial accounts, credit reports, travel accounts, and loyalty programs for suspicious activity. Watch for unauthorized charges, unfamiliar login attempts, password reset emails, missing loyalty points, or unexpected account changes.

Fourth, be cautious of emails, texts, or calls that mention refunds, loyalty points, cabin upgrades, payment problems, credit monitoring, or travel documents. Do not click links in unexpected messages. Instead, go directly to Holland America’s official website or contact the company using verified information.

Fifth, consider a fraud alert or credit freeze if sensitive identifying information was exposed. A fraud alert asks creditors to take extra steps before opening new accounts. A credit freeze can help prevent new credit accounts from being opened in your name without your authorization.

Finally, document everything. Keep breach notices, screenshots of suspicious messages, account alerts, credit monitoring notifications, receipts, and notes about the time you spend responding. These records may be important if you later pursue compensation.

 

Frequently Asked Questions

Why are cruise lines targeted by hackers?

Cruise lines are targeted because they collect large amounts of valuable personal information from travelers. This may include names, addresses, dates of birth, passport numbers, driver’s license numbers, payment information, loyalty account data, travel plans, and contact details. Hackers may use that information for identity theft, phishing scams, account takeovers, or fraud. Cruise lines also work with many systems and vendors, which can create more opportunities for cybercriminals to exploit weak points.

What information do cruise lines collect?

Cruise lines may collect contact information, identity information, payment details, passport or driver’s license numbers, dates of birth, emergency contacts, loyalty account details, booking records, travel companions’ information, and onboard purchase history. Depending on the trip and the traveler’s needs, a cruise line may also collect dietary, accessibility, or medical-related information. The exact information collected can vary by company, itinerary, destination, and passenger.

Are travel companies required to protect customer data?

Yes. Travel companies that collect personal information generally have legal obligations to use reasonable safeguards to protect that data. The specific requirements may depend on the type of information involved, where the customers live, where the company operates, and which privacy or data security laws apply. If a company fails to protect customer information, delays notice, or exposes consumers to identity theft or fraud, affected individuals may have legal rights.

What happens when a travel company is breached?

When a travel company is breached, the company should investigate what happened, determine what information was exposed, secure its systems, notify affected individuals when required, and offer guidance or protective services where appropriate. For consumers, the aftermath may involve monitoring accounts, changing passwords, watching for scams, freezing credit, replacing compromised documents, and dealing with identity theft or fraud. In some cases, affected individuals may be able to pursue compensation.

How can travelers reduce their risk?

Travelers can reduce their risk by using strong, unique passwords for cruise and travel accounts, enabling multi-factor authentication, avoiding password reuse, monitoring loyalty accounts, and being cautious of emails or texts about urgent travel issues. Travelers should also avoid clicking links in unexpected messages and instead log in directly through the official company website or app. After any breach, impacted individuals should review the notice carefully, monitor accounts, consider a fraud alert or credit freeze, and keep records of any suspicious activity or losses.

 

Morgan & Morgan May Be Able to Help

When a cruise line or travel company fails to protect personal information, travelers may be left to deal with the consequences. A data breach can expose sensitive information, create a risk of identity theft, and force consumers to spend time and money protecting themselves.

If your information was exposed in a Holland America Line or Carnival Corporation data breach, Morgan & Morgan may be able to help. Our data breach attorneys can review your situation, explain your rights, and determine whether you may be entitled to compensation.

 

Contact Morgan & Morgan today for a free, no-obligation case evaluation. Hiring one of our attorneys is easy, and you pay nothing up front. The Fee Is Free® unless we win.

Disclaimer
This website is meant for general information and not legal advice.