Willow BergeronCarnival Corporation confirmed on May 27, 2026 that hackers stole the personal data of nearly 6 million customers in an April breach — including passport numbers, driver's licence numbers, and email addresses. If you've sailed with Carnival, Holland America, or any of its eight brands, your data may now be in criminal hands. Under Canadian privacy law, you have specific rights — and the clock has started.
What Happened in the Carnival Breach
On April 10, 2026, the hacker group ShinyHunters gained access to Carnival's IT systems through a social engineering attack, tricking an employee into granting unauthorized access. By April 22, the company had determined that data had been illegally copied. Yet affected individuals were not notified until May 27 — a six-week gap that consumer privacy advocates are already calling into question.
The breach affects 5,995,277 customers, according to Carnival's own disclosure. Stolen data includes names, dates of birth, genders, email addresses, home addresses, phone numbers, driver's licence numbers, and passport numbers. For many Canadians who travelled on Carnival's ships through loyalty programs like the Holland America Mariner Society, their most sensitive government-issued IDs are now exposed.
Carnival is offering 24 months of free credit monitoring through TransUnion — but only to eligible U.S. residents. Canadian customers are not automatically covered under that offer.
Your Rights Under PIPEDA — Canada's Privacy Law
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) creates clear obligations for companies that collect the personal data of Canadians, even if those companies are headquartered abroad. Under PIPEDA, when a breach poses a "real risk of significant harm" to individuals, the organization must:
- Report the breach to the Office of the Privacy Commissioner of Canada (OPC)
- Notify every affected individual directly
- Keep records of all breaches for at least 24 months
Failing to report a qualifying breach carries fines of up to $100,000 CAD per offence. The OPC has the authority to investigate complaints and impose recommendations — and if Carnival failed to adequately notify Canadian customers or took too long to report, a formal complaint can be filed with the OPC at no cost.
Quebec residents have additional protection under Law 25 (Act Respecting the Protection of Personal Information in the Private Sector), which can impose penalties up to $10 million CAD or 2% of worldwide turnover for organizations that fail to properly notify affected individuals within 72 hours of discovering a breach.
For information on how to respond to a privacy breach or report a concern, the Office of the Privacy Commissioner of Canada maintains detailed guidance at priv.gc.ca/en/privacy-topics/privacy-breaches/.
4 Immediate Steps for Canadians Affected
If you've received a notification from Carnival — or believe you sailed on one of its ships and haven't heard anything — these steps can reduce your risk:
1. Place a fraud alert on your credit file. Contact Equifax Canada (1-800-465-7166) or TransUnion Canada (1-800-663-9980) to add a fraud alert to your credit profile. This requires creditors to verify your identity before opening new accounts in your name. The service is free.
2. Monitor your credit report immediately. Under Canadian law, you're entitled to a free credit report from both Equifax and TransUnion. Check for accounts you don't recognize, recent hard inquiries you didn't authorize, or addresses you've never lived at.
3. File a complaint with the OPC. If Carnival failed to notify you in a timely manner, or if the company's response did not meet PIPEDA requirements, you can file a complaint directly with the Office of the Privacy Commissioner. The OPC investigates and publishes findings, which can also support civil claims.
4. Consult a privacy lawyer if your passport number was exposed. A passport number combined with a date of birth and home address is enough for identity thieves to open credit accounts, make fraudulent travel documents, and commit financial fraud. If your passport data was among the stolen records, a lawyer specializing in privacy law can advise you on your exposure and whether you are owed compensation under Canadian law.
Why Canadians Are Not Fully Protected by Carnival's U.S. Response
The free TransUnion credit monitoring Carnival is offering applies to U.S. residents under U.S. state breach notification requirements. Canadian consumers operate under a different legal regime — PIPEDA at the federal level, plus provincial laws in Alberta (PIPA), British Columbia (PIPA BC), and Quebec (Law 25).
This means Canadians may need to take independent action, rather than relying on the credit monitoring Carnival is advertising. Privacy lawyers in Canada have seen similar situations before: a company discloses a breach, offers remedies designed for its largest market (the U.S.), and Canadian customers assume they're covered when they are not.
According to digital privacy coverage recently examined on Expert Zoom, surveillance and data collection operate under very different legal frameworks in Canada versus the United States — and those differences matter when seeking compensation or redress.
When to Seek Legal Advice After a Data Breach
Most Canadians who receive a breach notification take no further action. That's understandable — the process of filing complaints and seeking redress feels complicated. But when the breached data includes government-issued ID numbers, the risk of long-term harm is real.
A privacy lawyer can help you assess:
- Whether the notification you received meets PIPEDA's legal standards
- Whether you have a cause of action under provincial privacy torts
- Whether you should join a class action — legal proceedings against Carnival are already being filed in the U.S., and Canadian class actions for PIPEDA breaches are a growing area of law
- Whether your passport exposure warrants applying for a new passport and flagging the compromise with Immigration, Refugees and Citizenship Canada (IRCC)
The six-week gap between Carnival's discovery of the breach (April 22) and its notification to affected individuals (May 27) may itself be a focus of regulatory scrutiny. PIPEDA requires notification "as soon as feasible" — and that phrase, regulators have made clear, does not mean six weeks.
If you believe you are among the nearly 6 million affected, do not wait for Carnival to act on your behalf. Your privacy rights under Canadian law are independent of whatever the cruise giant does in the United States.
Legal disclaimer: This article is for general informational purposes only and does not constitute legal advice. For guidance specific to your situation, consult a licensed Canadian lawyer.
