Hotels, casinos, cruise lines, and restaurant chains collect payment data, loyalty credentials, and personal identifiers from customers nationwide. When breaches trigger multi-state notification laws, the same brand can appear on Texas, Washington, and California Attorney General portals within days.
Carnival Corporation is the clearest 2026 example: 800,060 Texans, 54,960 Washingtonians, and a California AG list entry — all published in May 2026.
Texas Hospitality & Retail Breaches (2026)
Interactive Tracker
Texas Hospitality & Retail Breaches: 2026 OAG Reports
Texans affected by 2026 breach notices from hotels, casinos, restaurants, and retailers, by month
Show largest 2026 hospitality and retail breach reports
| Entity | Published | Texans affected | Sector |
|---|---|---|---|
| Carnival Corporation | May 28, 2026 | 800,060 | Other |
| Restaurant Management Company of Wichita, Inc. | Apr 22, 2026 | 52,017 | Healthcare / Medical |
| Choice Hotels International, Inc. | Feb 20, 2026 | 2,559 | PII / Identity |
| Ace Mart Restaurant Supply | Feb 17, 2026 | 1,484 | Financial |
| Powerhouse Retail Services | Feb 4, 2026 | 1,480 | Healthcare / Medical |
Source: Texas Attorney General - Data Security Breach Reports, industry-filtered. Data current through Jun 18, 2026.
Sources
State AG breach portals
State AG reporting & notices
Notable Texas Notices
| Organization | Texans Affected | Date Published |
|---|---|---|
| Carnival Corporation | 800,060 | May 28, 2026 |
| Restaurant Management Company of Wichita, Inc. | 52,017 | Apr 22, 2026 |
| Choice Hotels International, Inc. | 2,559 | Feb 20, 2026 |
| Ace Mart Restaurant Supply | 1,484 | Feb 17, 2026 |
| Powerhouse Retail Services | 1,480 | Feb 4, 2026 |
Washington Hospitality & Retail Breaches (2026)
Interactive Tracker
Washington Hospitality & Retail Breaches: 2026 AG Reports
Washingtonians affected by 2026 breach notices from hotels, casinos, restaurants, and retailers, by month
Show largest 2026 Washington hospitality and retail breach reports
| Entity | Published | Washingtonians affected | Sector |
|---|---|---|---|
| Carnival Corporation | May 27, 2026 | 54,960 | Other |
| Caesars Entertainment, Inc. | May 19, 2026 | 44,023 | PII / Identity |
| 7-Eleven, Inc. | May 15, 2026 | 1,940 | PII / Identity |
| Panera, LLC | Apr 16, 2026 | 1,564 | Other |
Source: Washington State Attorney General - Data Breach Notifications, industry-filtered. Data current through May 27, 2026.
Sources
State AG breach portals
Notable Washington Notices
| Organization | Washingtonians Affected | Date Published |
|---|---|---|
| Carnival Corporation | 54,960 | May 27, 2026 |
| Caesars Entertainment, Inc. | 44,023 | May 19, 2026 |
| 7-Eleven, Inc. | 1,940 | May 15, 2026 |
| Panera, LLC | 1,564 | Apr 16, 2026 |
California AG List (No Affected Counts)
California does not publish resident-affected totals, but the same brands recur:
| Organization | Date Reported |
|---|---|
| Carnival Corporation | May 27, 2026 |
| Casino, LLC dba Larry Flynt’s Lucky Lady Casino | Jun 10, 2026 |
| JC Resorts LLC | Apr 28, 2026 |
| Wynn Resorts, Limited | Apr 3, 2026 |
| Nobu Restaurant Group Holding Company, LLC | Apr 17, 2026 |
| Madison Square Garden Entertainment Corp. | Feb 26, 2026 |
| Choice Hotels International, Inc. | Feb 19, 2026 |
| Retail Merchandising Services | Mar 16, 2026 |
Why This Matters for Operators
Hospitality and retail firms process high volumes of PCI and loyalty data. Weak email authentication enables booking fraud, gift-card scams, and vendor impersonation — common paths to breach notifications.
Recommendations
- Enforce DMARC, SPF, and DKIM on customer-facing domains.
- Segment POS and loyalty systems from corporate email.
- Train front-line and reservations staff on phishing and social engineering.
- Review third-party booking and payment vendor access.
Related trackers
- Texas OAG YTD dashboard
- Healthcare AG breach tracker
- Financial services tracker
- Law firm breach tracker
- Washington healthcare breaches (2026)
- Washington law firm breaches (2026)
- CA June roundup
- TX July roundup
- WA May roundup
- TX Parks breach
- Have I Been Pwned
- HIBP July roundup
- Monitoring guide
- All trackers