Digital Privacy & Data Rights — 2026-05-18

This Week's Top Story

Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Data Leak

• What happened: Instructure, the company behind the Canvas learning management platform used by thousands of colleges and schools worldwide, paid a ransom to hacker group ShinyHunters following a breach that exposed an estimated 3.65TB of data. The attackers had claimed access to records on approximately 275 million Canvas users. The ransom agreement was reportedly reached to prevent the wider release or sale of the stolen data, which included personal information such as student and instructor records.
• Who's affected: Students, educators, and administrators at institutions using Canvas globally — including prominent universities such as MIT and Oxford, according to earlier reporting. K-12 vendors and thousands of U.S. colleges were among the affected parties.
• Why it matters: Paying ransoms to cybercriminals sets a dangerous precedent and does not guarantee that stolen data is actually destroyed. Security experts warn that the payment creates incentives for future attacks on educational institutions, which hold large volumes of sensitive personal data. The breach also disrupted finals week for many schools, amplifying its real-world impact.

Data Breaches & Incidents

LeakWatch Summary — Calendar Week 20 (May 11–17, 2026)

• Scope: The week of May 11–17, 2026 showed a security landscape shaped less by a single dominant mega-leak than by a noticeable spread of multiple incidents. No single event reached the scale of the Instructure breach from the prior week, but several mid-tier incidents affected users across multiple sectors.
• Root cause: Analysts tracking the week noted a mix of credential-based attacks and third-party vulnerabilities as primary vectors.
• User action: Users should audit login credentials, especially for services tied to educational platforms, and enable multi-factor authentication wherever available.

1 sources

igorslab.de

igorslab.de

Instructure/Canvas — Ransomware & Data Exfiltration (Ongoing Impact)

• Scope: 275 million user records, 3.65TB of data. Data types include personal information associated with students and educators at thousands of institutions globally.
• Root cause: ShinyHunters hacker group infiltrated Instructure's systems. The specific technical vector has not been publicly confirmed by Instructure.
• User action: Canvas users — particularly students and faculty — should assume their email addresses, names, and institutional identifiers may be exposed. Monitor for phishing emails impersonating Canvas or associated universities, and change passwords for any accounts using the same credentials.

K-12 Vendor Supply Chain — Elevated Risk Post-Canvas

• Scope: Following the Canvas breach, security analysts and education technology observers have warned that the K-12 vendor ecosystem faces heightened risk. The disclosure prompted broad concern about downstream data-sharing practices that could expose student data beyond the primary breach.
• Root cause: Third-party data flows and vendor integrations common in the edtech sector can amplify the blast radius of a single breach.
• User action: School IT administrators should audit which third-party services have access to student data and review data sharing agreements with vendors.

Regulatory & Enforcement Actions

FTC vs. Tech Platforms — Take It Down Act Compliance Warning

• Ruling: FTC Chairman Andrew Ferguson sent letters to more than a dozen prominent technology companies on May 11, 2026, reminding them of their legal obligation to comply fully with the Take It Down Act (TIDA) no later than May 19, 2026. The Act requires platforms to remove non-consensual intimate imagery (NCII) upon request.
• Penalty: No fines announced yet; the letters constitute a formal compliance warning. Non-compliant platforms risk enforcement action under the FTC's consumer protection authority.
• Precedent: This marks one of the first formal enforcement postures under TIDA, signaling that the FTC intends to actively police compliance with the new NCII removal law. It establishes a clear expectation that major platforms must have operational removal mechanisms in place.

FTC vs. Kochava — Location Data Ban Settlement

• Ruling: The FTC announced a settlement banning Kochava and its subsidiary from selling sensitive location data linked to millions of mobile devices. The action charges Kochava with selling precise geolocation data that could be used to track individuals to sensitive locations including health clinics and places of worship.
• Penalty: Kochava and its subsidiary are banned from selling sensitive location data in the settlement. The FTC's action was announced in early May 2026.
• Precedent: This is a significant enforcement action targeting data brokers and their location-data practices. It reinforces the FTC's position that selling granular location data without meaningful user consent constitutes an unfair or deceptive trade practice, particularly when that data reveals sensitive movements.

Legislation & Policy Moves

• United States — SECURE Data Act (HR 8413): Comprehensive federal consumer privacy bill introduced by House Energy and Commerce Committee Vice Chairman John Joyce (R-PA) on April 22, 2026; the bill would establish a uniform federal standard intended to preempt the patchwork of state privacy laws. Backed by top House Republicans after 14 months of work by a Republican-only Privacy Working Group — Introduced — Effective date not yet set.

• United States — Take It Down Act (TIDA): Federal law requiring online platforms to remove non-consensual intimate imagery within specified timeframes upon user request; compliance deadline set at May 19, 2026, with the FTC actively notifying companies of their obligations this week — Signed/Enacted — Effective May 19, 2026.

Advocacy & Civil Society

No fresh advocacy campaign data from EFF, NOYB, Privacy International, or Access Now published after May 11, 2026 was available in this week's research results. The EFF Deeplinks page was accessible but screenshot-based extraction was incomplete — readers should check directly for the latest posts.

1 sources

eff.org

eff.org

Industry & Tech Response

• Edtech platforms face scrutiny: Following the Instructure Canvas breach and ransom payment, the broader edtech industry is under pressure to improve data minimization practices and incident response. The breach has reignited debate about whether learning management systems collect and retain far more personal data than is necessary, and whether paying ransoms should ever be standard practice.

• FTC signals active platform enforcement on NCII: With the Take It Down Act compliance deadline arriving May 19, technology companies including major social media platforms are rushing to certify their removal processes for non-consensual intimate imagery. The FTC's letters to over a dozen companies indicate that enforcement — not just voluntary compliance — is the expectation going forward.

• SECURE Data Act debate intensifies: The Republican-introduced SECURE Data Act has drawn sharp attention from privacy advocates who warn its federal preemption clause would override stronger state-level consumer protections, including California's CCPA. The bill's rollout coincides with growing legislative momentum but faces significant opposition from civil society groups who argue it weakens existing rights.

Reader Action Items

• Check if you're affected: If you or your institution uses Canvas (Instructure), assume your name, email, and institutional details may be exposed. Check for your email address and watch for phishing attempts mimicking Canvas, your university, or related services.
• Settings to review: Enable multi-factor authentication on your Canvas account and any email accounts connected to educational platforms. If you reuse passwords across services, update them immediately using a password manager.
• Rights you can exercise: EU and UK users affected by the Canvas breach may have the right to file a GDPR/UK GDPR complaint with their national data protection authority (e.g., ICO in the UK, or your local DPA) requesting information about how Instructure processed and protected your data. US users in California may exercise CCPA rights to request disclosure of data held about them from Instructure directly.

What to Watch Next Week

• Take It Down Act enforcement: The May 19 compliance deadline has now passed — watch for FTC enforcement actions or public disclosures about which platforms failed to meet requirements.
• SECURE Data Act committee progress: The bill has been introduced; monitor the House Energy and Commerce Committee for hearings, markups, or amendments that could reshape its preemption provisions.
• Instructure/Canvas breach fallout: Expect class-action lawsuits, potential state attorney general investigations, and continued debate about the ethics and legality of ransom payments following the ShinyHunters settlement. School districts may also face their own notification obligations under FERPA and state breach laws.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, and tech media.