Digital Privacy & Data Rights — 2026-05-13

This Week's Top Story

Instructure Canvas Breach Hits Hundreds of Institutions — Harvard, MIT, Oxford Affected

• What happened: The ransomware and data-theft group ShinyHunters claimed responsibility for a breach of Instructure's Canvas learning management system, asserting it exfiltrated personal data from roughly 275 million users. The group published a list naming 8,800 institutions allegedly linked to the compromised data, including Harvard, MIT, Oxford, and hundreds of other leading universities. Some schools warned users not to log back into Canvas while investigations were ongoing.
• Who's affected: Students, instructors, and academic staff across approximately half of North American higher education institutions that rely on Canvas, as well as universities globally. The breach hit especially hard during finals season, compounding operational disruption.
• Why it matters: This is one of the largest education-sector breaches on record if the claimed scope is confirmed. Canvas is embedded in the daily workflows of millions of students and educators, meaning compromised data could include academic records, personal identifiers, and communication histories. The timing during exams amplified institutional panic and demonstrates how ransomware groups are increasingly targeting high-visibility infrastructure.

2 sources

malwarebytes.com

malwarebytes.com

cybernews.com

cybernews.com

Data Breaches & Incidents

Zara — Database Intrusion Exposing 197,000 Customers

• Scope: 197,000 individuals' personal information exposed, according to breach notification service Have I Been Pwned.
• Root cause: Attackers gained access to Zara's databases and exfiltrated customer data records.
• User action: If you have a Zara account, check Have I Been Pwned (haveibeenpwned.com) with your email, change your Zara account password, and be alert for phishing emails using your details.

Coupang — Probe Concludes, Penalty Decision Imminent

• Scope: South Korea's Personal Information Protection Commission (PIPC) has wrapped up its investigation into a major data leak at e-commerce giant Coupang, with a penalty decision expected as early as June 2026. The scope of affected records has not been fully disclosed by regulators.
• Root cause: Details of the root cause have not been publicly confirmed pending the final regulatory decision.
• User action: Coupang customers in South Korea should review their account security settings, monitor for suspicious activity, and watch for the regulator's official announcement, which may trigger expanded notification.

Canvas / Instructure — Roundup of Under-the-Radar Breaches This Week

• Scope: Privacy Guides' weekly data breach roundup (covering May 1–7, 2026) flagged multiple smaller incidents that flew under the radar while the Canvas breach dominated coverage.
• Root cause: Varied across incidents — see individual disclosures for details.
• User action: Review the full weekly roundup for a comprehensive list and check Have I Been Pwned regularly.

Regulatory & Enforcement Actions

FTC vs. Kochava — Ban on Sale of Sensitive Location Data

• Ruling: The FTC announced it will ban data broker Kochava and its subsidiary from selling sensitive location data as part of a settlement resolving charges that Kochava sold location data linked to millions of mobile devices — data that could reveal visits to sensitive locations including health clinics, religious sites, and shelters.
• Penalty: Kochava is prohibited from selling or licensing sensitive location data; the full settlement terms include remediation orders and compliance monitoring.
• Precedent: This marks an escalating FTC posture toward location data brokers and signals that linking anonymized device identifiers to real-world sensitive locations constitutes an unfair practice under FTC Act Section 5 — a precedent with broad implications for the entire data brokerage industry.

South Korean PIPC — Coupang Data Leak Final Decision Pending

• Ruling: South Korea's data protection authority has completed its investigation into Coupang's data breach and is preparing to issue a final penalty ruling as early as June 2026.
• Penalty: Fine amount and remediation orders have not yet been publicly announced; decision expected within weeks.
• Precedent: The case will be a significant test of South Korea's enforcement appetite under its Personal Information Protection Act, particularly for large platform operators, and is being watched by regional regulators across Asia-Pacific.

Legislation & Policy Moves

• United States — SECURE Data Act: House Republicans on the Energy and Commerce Committee introduced a draft comprehensive federal consumer privacy bill on April 22, 2026 aimed at creating a uniform federal standard to preempt the current patchwork of state privacy laws — introduced, no effective date set yet.

• United States — SECURE Data Act (Analysis): The IAPP published a detailed analysis of the bill's scope, data minimization requirements, and preemption provisions, noting it represents the first major federal consumer privacy draft in years — introduced/under review.

Advocacy & Civil Society

No fresh EFF, NOYB, Privacy International, or Access Now campaigns published after 2026-05-06 were available in this week's research results. Check these organizations' sites directly for the latest updates:

• EFF Deeplinks:
• NOYB:
• Privacy International:

1 sources

eff.org

eff.org

Industry & Tech Response

• Instructure (Canvas): The company has acknowledged the breach and issued guidance advising institutions to monitor for suspicious activity; some schools independently warned users not to log back into Canvas pending further investigation. The response has been criticized as slow given the scale of the incident.

• Have I Been Pwned (Zara): The breach notification service confirmed and catalogued the Zara breach, making it searchable for affected individuals — a reminder of the public value of independent breach tracking infrastructure.

• ShinyHunters group: The same group responsible for Instructure/Canvas also claimed credit for this week's Zara breach, as well as previous attacks on Udemy and 7-Eleven, suggesting a coordinated campaign targeting consumer-facing platforms with large datasets.

Reader Action Items

• Check if you're affected: Visit Have I Been Pwned and search your email address to see if it appears in the Zara breach or any other recent incident. If your institution uses Canvas, check official communications from your school about the Instructure breach.
• Settings to review: If you use Canvas, enable multi-factor authentication on your institutional account if available. For Zara, log into your account and change your password immediately — and if you reused that password elsewhere, change it on those services too.
• Rights you can exercise: EU/EEA users affected by the Zara breach (a Spanish company) can file a GDPR data subject access request or complaint with their national Data Protection Authority. South Korean Coupang users can contact the Personal Information Protection Commission (privacy.go.kr) to inquire about the status of the investigation and your rights under the PIPA.

What to Watch Next Week

• South Korea PIPC — Coupang penalty: The regulator expects to issue its final fine and remediation orders as early as June; watch for the amount and whether it sets a high-water mark for South Korean enforcement.
• US SECURE Data Act: Committee hearings and stakeholder feedback on the House Republicans' federal privacy bill draft will accelerate; early industry and advocacy reactions will shape its path forward.
• Instructure Canvas breach scope: Independent researchers and institutions are still verifying the claimed 275 million figure — confirmations or refutations from Instructure and third-party forensics firms will clarify the true scale and may trigger mandatory breach notifications across multiple jurisdictions.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, and tech media.