Texas Attorney General Opens Data-Breach Investigation Into Carnival, Issues Civil Investigative Demand (2026)
Texas Attorney General Opens Data-Breach Investigation Into Carnival, Issues Civil Investigative Demand (2026)
Texas Attorney General Ken Paxton announced on June 23, 2026, that his office has opened an investigation into Carnival Corporation and issued a Civil Investigative Demand over a 2026 data breach reported to affect more than 800,000 Texans. This is an investigation, not a finding of wrongdoing.
Information last verified on June 24, 2026. This is a developing story; we update it as the record changes.
Status: The Texas Attorney General announced an ongoing investigation and issued a Civil Investigative Demand on June 23, 2026. No findings, violations, or penalties have been determined as of June 24, 2026.
Jurisdiction scope: This article addresses a Texas Attorney General investigation and Texas data-breach law as of June 24, 2026. It is general legal information, not legal advice, and it does not predict any outcome. For related topics see Texas data privacy laws and the Texas rules for data breach notification.
What Happened
On June 23, 2026, the Office of the Texas Attorney General announced that it has opened an investigation into Carnival Corporation and issued a Civil Investigative Demand to the company. According to the OAG announcement, the demand seeks to determine whether Carnival adequately safeguarded the personal information of Texas consumers and whether the company maintained reasonable procedures to protect that information as required by Texas law. The OAG announcement frames this as an ongoing investigation; it does not state a finding of wrongdoing.
According to the OAG and to reporting, Carnival's information-technology security team detected unauthorized activity involving an employee account on April 14, 2026. The OAG and reporting describe the incident as a social-engineering attack in which an unauthorized actor deceived an employee to gain access to company systems. Carnival has reportedly said it began investigating once it detected the activity.
The information reportedly accessed includes names, contact details, dates of birth, passport numbers, driver's license numbers, payment information, and some health information, according to the OAG and reporting. Categories like passport and driver's license numbers fall within the "sensitive personal information" that Texas data-breach law is designed to protect.
According to the OAG announcement, Carnival's breach notification to the Texas Attorney General reported 800,060 affected Texas consumers, and the total number affected has been reported at approximately 6 million people. We could not independently confirm the exact six-million figure against a primary count; it is attributed to the OAG announcement and to news reporting and may be refined as the record develops.
Reporting indicates that Carnival submitted its notification to the OAG about 44 days after the breach was discovered. As described below, that timing is one of the facts an investigation can examine against the Texas notice rules. Carnival has reportedly said it will cooperate fully with the Attorney General's office, and it has reportedly offered affected U.S. residents complimentary credit monitoring. None of this establishes that Carnival violated any law; the matter is at the investigation stage.
What the Law Actually Says
The Texas investigation centers on the Texas Identity Theft Enforcement and Protection Act, codified at Texas Business and Commerce Code Chapter 521, together with the Texas Deceptive Trade Practices Act (DTPA). The following describes the statutes generally; it is not a conclusion about Carnival's conduct.
The duty to safeguard data (Tex. Bus. & Com. Code 521.052). Section 521.052 requires a business to implement and maintain reasonable procedures, including appropriate corrective action, to protect sensitive personal information collected or maintained in the regular course of business from unlawful use or disclosure. The statute does not list specific technical controls; in practice, the OAG evaluates whether a company's safeguards were reasonable under the circumstances. The OAG's announced investigation reportedly probes whether Carnival met this reasonable-safeguards duty.
The breach-notification rule (Tex. Bus. & Com. Code 521.053). Section 521.053 requires a business that owns or licenses computerized data containing sensitive personal information to disclose a breach of system security to affected Texans without unreasonable delay and in each case not later than the 60th day after the business determines the breach occurred, subject to limited exceptions. A separate provision requires notice to the Texas Attorney General as soon as practicable and not later than the 30th day after the business determines the breach occurred, when the breach involves at least 250 Texas residents. The reported 44-day timeline for Carnival's OAG notice is the kind of fact an investigation can measure against that 30-day attorney-general-notice window, though whether any delay was "unreasonable" or excused is exactly the type of question an investigation examines, and no determination has been made.
Enforcement and penalties. Violations of Chapter 521 can carry civil penalties, and the OAG can also pursue claims under the DTPA. Chapter 521 sets civil penalties for violations, and Texas reporting describes a per-violation penalty range. The OAG, not a private plaintiff, brings these enforcement actions. The existence of a penalty range in the statute does not mean any penalty applies here; that would require a finding that has not occurred.
What a Civil Investigative Demand is. A Civil Investigative Demand is a formal, pre-suit investigative tool. It allows the Attorney General to compel a company to produce documents, answer written questions, or give testimony so the office can decide whether the law was violated and whether to take further action. A CID is a request for information, not a lawsuit and not a finding. Receiving a CID does not mean a company did anything wrong.
For a state-by-state contrast, Texas's rules differ in detail from other states; you can compare the Texas approach with the California data breach notification framework, which has its own timing and content requirements.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
State attorneys general have become a steady force in data-security enforcement, operating alongside the Federal Trade Commission rather than waiting on it. The Texas OAG's use of a Civil Investigative Demand here reflects a familiar pattern: a large breach affecting many state residents, followed by a state-level inquiry into whether the company's safeguards and notice practices met state law. We have covered comparable privacy and breach enforcement in our reporting on the FTC's Mobilewalla sensitive-location-data order and the approved 23andMe data-breach settlement.
Two features of Texas law make it a natural vehicle for this kind of inquiry. First, Section 521.052's "reasonable procedures" standard is flexible, which lets the OAG examine a company's actual security posture rather than a checklist. Second, the statute pairs a safeguards duty with concrete notice deadlines, giving the office two distinct questions to test: was the data protected reasonably, and was notice timely. That combination is why the reported 44-day OAG-notice timeline draws attention, even though whether it was timely or excused is unresolved.
None of this predicts an outcome. Investigations can end in many ways, and the announcement itself contains no finding that Carnival violated any law. The significance for now is procedural and informational: a major company's breach is under formal Texas review, and the public record is likely to grow.
How This Affects You
This section is general information, not individualized advice.
If you are a consumer who may be affected, general steps after any reported breach include watching account statements and credit reports for unfamiliar activity, considering a fraud alert or a security freeze with the major credit bureaus, and taking any credit-monitoring offer the company extends. Be cautious about unsolicited messages that reference the breach, because breaches are sometimes followed by phishing attempts. Whether your specific information was involved is something only the company's notice to you can confirm; a state investigation does not by itself tell you that your data was exposed.
If you operate a business that handles Texas residents' sensitive personal information, the general Texas obligations include maintaining reasonable safeguards under Section 521.052 and meeting the notice deadlines in Section 521.053, including AG notice within 30 days when at least 250 Texas residents are affected. You can review the Texas framework on our Texas data privacy laws page. For your own situation, consult a licensed Texas attorney rather than relying on this general overview.
What Happens Next
The Civil Investigative Demand starts an information-gathering phase. Carnival can respond by producing the requested documents and answers; companies sometimes negotiate the scope of a CID or raise objections through counsel. The OAG then reviews what it receives and decides whether the facts support further action.
From there, an investigation like this can resolve in several ways. The office might close the matter without action, reach a settlement or assurance of voluntary compliance, or file an enforcement suit. We are not predicting which path this investigation will take, and no timeline has been announced. As the Texas record develops, including any further OAG statements or court filings, we will update this article.
This article is general legal information, not legal advice. It focuses on Texas law and a Texas Attorney General investigation, and its facts were verified as of June 24, 2026. It does not establish that any company violated the law and does not predict any outcome. For advice about your specific situation, consult a licensed attorney in your jurisdiction.
Sources
- Office of the Texas Attorney General, "Attorney General Paxton Announces Ongoing Investigation into Carnival Cruise Line Over Data Breach," June 23, 2026: https://www.texasattorneygeneral.gov/news/releases/attorney-general-paxton-announces-ongoing-investigation-carnival-cruise-line-over-data-breach
- Texas Constitution and Statutes, Tex. Bus. & Com. Code 521.053 (Notification Required Following Breach of Security of Computerized Data): https://statutes.capitol.texas.gov/GetStatute.aspx?Code=BC&Value=521.053
- Office of the Texas Attorney General, Identity Theft Enforcement and Protection Act overview: https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/identity-theft-enforcement-and-protection-act
Related articles
- Texas data privacy laws
- Texas data breach notification rules
- California data breach notification
- FTC Mobilewalla sensitive-location-data order
- 23andMe data-breach settlement approved
Last updated: 2026-06-24. This is a developing story; details verified as of 2026-06-24.
Frequently Asked Questions
Is Carnival being sued by Texas?
No. As of June 24, 2026, this is an investigation, not a lawsuit and not a finding of wrongdoing. On June 23, 2026, the Texas Attorney General announced an ongoing investigation and issued a Civil Investigative Demand, which is a request for information. No violation has been determined and no penalty has been imposed.
What is a Civil Investigative Demand?
A Civil Investigative Demand (CID) is a formal pre-suit tool that lets the Attorney General compel a company to produce documents, answer written questions, or give testimony. It helps the office decide whether the law was violated and whether to act. A CID is not a lawsuit and not a finding of liability.
How long does a company have to report a data breach in Texas?
Under Tex. Bus. & Com. Code 521.053, a business must notify affected Texans without unreasonable delay and not later than the 60th day after it determines the breach occurred. When at least 250 Texas residents are affected, the business must also notify the Texas Attorney General not later than the 30th day after determining the breach occurred.
Did Carnival violate Texas law?
That has not been determined. The Texas OAG announcement describes an investigation into whether Carnival maintained reasonable safeguards as required by Texas law. It does not state that Carnival violated any law. Carnival has reportedly said it will cooperate fully.
Was my information exposed in the Carnival breach?
A state investigation does not tell you whether your specific information was involved. Only a direct breach notice from the company can confirm that. According to the OAG and reporting, the data categories at issue reportedly included names, dates of birth, passport numbers, driver license numbers, payment information, and some health information.
How many people were affected?
According to the OAG announcement, Carnival reported 800,060 affected Texas consumers, and the total affected has been reported at approximately 6 million people. We could not independently confirm the exact six-million figure; it is attributed to the OAG and to reporting and could change as the record develops.
What Texas laws are involved?
The investigation references the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Ch. 521), including the safeguards duty in Section 521.052 and the notification rule in Section 521.053, along with the Texas Deceptive Trade Practices Act as an enforcement hook.
What should affected consumers generally do?
As general information, consumers commonly monitor account statements and credit reports, consider a fraud alert or security freeze with the credit bureaus, and use any credit-monitoring the company offers. This is not individualized advice; consult a licensed attorney for your situation.
Sources and References
- Office of the Texas Attorney General press release announcing the ongoing Carnival investigation and CID (June 23, 2026)(texasattorneygeneral.gov).gov
- Tex. Bus. & Com. Code 521.053, Notification Required Following Breach of Security of Computerized Data(statutes.capitol.texas.gov).gov
- Texas OAG overview of the Identity Theft Enforcement and Protection Act (Ch. 521)(texasattorneygeneral.gov).gov