Digital Privacy & Data Rights — 2026-05-06

This Week's Top Story

Instructure (Canvas) Confirms Massive Data Breach — ShinyHunters Claims 275M Users Affected

• What happened: Edtech company Instructure, maker of the widely used Canvas learning management platform, confirmed a cyberattack in which personal data of users was exposed. The ShinyHunters hacking group claimed responsibility, alleging theft of data from nearly 9,000 schools worldwide and asserting that roughly 275 million user records were compromised. Stolen data reportedly includes names, email addresses, ID numbers, and messages.
• Who's affected: Students, educators, and administrators at approximately 9,000 educational institutions globally — spanning K-12 and higher education — are potentially exposed. The breach affects users across multiple countries wherever Canvas is deployed.
• Why it matters: This breach represents one of the largest confirmed attacks on the education sector in recent memory. Because Canvas is embedded in daily academic life, compromised credentials and messages could enable targeted phishing campaigns against students and faculty. The scale also raises questions about whether edtech platforms are adequately protecting the sensitive data of minors.

Data Breaches & Incidents

Instructure / Canvas — Cyberattack, User Data Exfiltrated

• Scope: Up to 275 million user records claimed by ShinyHunters; confirmed stolen data includes names, email addresses, ID numbers, and internal messages; approximately 9,000 schools worldwide affected.
• Root cause: Instructure confirmed a cyber incident is under investigation; attack vector has not been fully disclosed publicly. ShinyHunters, a prolific group responsible for multiple high-profile breaches, has claimed responsibility and threatened to leak or sell the data.
• User action: Users of Canvas (students, instructors, staff) at any institution should change their Canvas password immediately, enable multi-factor authentication if available, and be alert to phishing emails that may impersonate their school or Canvas directly.

1 sources

securityweek.com

s, email addresses, ID numbers, and messages were stolen in a cyberattack.

Privacy Guides Data Breach Roundup (Apr 24–30, 2026) — Multiple Incidents

• Scope: The weekly roundup covering April 24–30 documented breaches at a security company, two medtech companies, a video streaming service, and a previously unreported older attack — collectively affecting an undisclosed but significant number of users across health and media sectors.
• Root cause: Multiple vectors reported, including credential compromise and system misconfigurations; the medtech breaches are particularly notable given the sensitivity of health-related personal data.
• User action: Users of healthcare apps or video streaming services should review breach-notification emails, update passwords, and consider whether any sensitive health data was stored with affected providers.

Techzine / SecurityAffairs — ShinyHunters Confirmed as Instructure Attacker

• Scope: Multiple independent reports corroborate that ShinyHunters is claiming the Instructure breach and offering to sell or release stolen data; Security Affairs confirmed the incident affects educational tech infrastructure across the globe.
• Root cause: ShinyHunters has a documented history of exploiting API vulnerabilities and reusing leaked credentials from prior breaches to gain access to new targets.
• User action: IT administrators at affected educational institutions should audit API access logs, rotate all service account credentials, and review third-party integrations connected to Canvas.

Regulatory & Enforcement Actions

FTC vs. Kochava — Location Data Broker Banned from Selling Sensitive Location Data

• Ruling: The Federal Trade Commission announced it will ban Kochava and its subsidiary from selling sensitive location data linked to millions of mobile devices, settling charges that the companies sold precise geolocation information that could be used to track individuals' movements to sensitive locations such as health clinics and places of worship.
• Penalty: Full ban on selling sensitive location data; full penalty and remediation details are available on the FTC enforcement page.
• Precedent: This action establishes a clear FTC posture that selling precise location data tied to sensitive locations — even without a user's name — constitutes an unfair practice under Section 5. It signals that data brokers trafficking in mobility data face real enforcement risk, and sets expectations for the emerging location-data market.

EDPB — 2026 Coordinated Enforcement Action on Transparency Launched

• Ruling: The European Data Protection Board launched its 2026 Coordinated Enforcement Framework (CEF) action, focusing on transparency and information obligations under the GDPR. National data protection authorities across the EU are participating on a voluntary basis to conduct simultaneous investigations into whether organizations are providing clear, accessible privacy notices to data subjects.
• Penalty: No penalties have been issued yet; this is an investigative phase. Results and potential fines from participating DPAs are expected later in 2026.
• Precedent: The coordinated approach amplifies enforcement pressure across multiple jurisdictions at once, meaning companies operating across the EU face parallel scrutiny. The transparency focus directly affects how every privacy policy and cookie notice is drafted.

Legislation & Policy Moves

• United States — SECURE Data Act (House Republicans Draft): Introduced by U.S. House Committee on Energy and Commerce Republicans on April 22, 2026, this comprehensive federal consumer privacy bill proposes a uniform national standard that would preempt the existing patchwork of state privacy laws; it is the first major federal consumer privacy bill released in years — introduced — effective date not yet known.

• United States — FTC COPPA Age Verification Policy Statement: The FTC issued a policy statement in February 2026 announcing it will not bring enforcement actions under the COPPA Rule against operators that use age verification technologies to protect children online — encouraging platforms to adopt technical age-gating — issued/in effect — as of February 25, 2026.

Advocacy & Civil Society

No EFF, NOYB, Privacy International, or ACCESS NOW campaign posts from after April 29, 2026 were returned with confirmed publication dates in the research results. Verified-fresh civil society content is not available for this section this week — check eff.org/deeplinks directly for the latest updates.

1 sources

eff.org

eff.org

Industry & Tech Response

• Instructure / Canvas has confirmed an active investigation into the ShinyHunters breach and has not yet issued a full public remediation statement; the company faces mounting pressure from educational institutions to clarify the scope of exposure and provide breach notifications to affected users and families.

• ShinyHunters continues to be the most prominent threat actor in the education and consumer sectors, having also previously claimed breaches at other major platforms; this group's pattern of targeting large SaaS platforms with shared authentication infrastructure is prompting renewed calls for mandatory multi-factor authentication across the edtech industry.

• FTC's Kochava settlement is prompting other location data brokers to quietly audit their data sales pipelines; industry observers note that the action may accelerate self-regulatory moves in the data broker ecosystem ahead of any potential federal privacy legislation.

1 sources

sqmagazine.co.uk

sqmagazine.co.uk

Reader Action Items

• Check if you're affected: If you or a family member uses Canvas at any school or university, assume your account data may be involved. Visit and check your email address. Change your Canvas password now, even before official notification.
• Settings to review: On any edtech or SaaS platform you use: (1) Enable multi-factor authentication (MFA) — go to your account security settings; (2) Review which third-party apps have OAuth access to your educational accounts and revoke any you don't recognize.
• Rights you can exercise: EU/EEA users can file a Subject Access Request (SAR) under GDPR Article 15 with Instructure to find out exactly what personal data was held and whether it was involved in the breach. U.S. users in states with comprehensive privacy laws (California, Virginia, Colorado, etc.) can submit a data access request directly to Instructure via its privacy portal.

What to Watch Next Week

• Instructure breach fallout: Expect formal breach notification letters to begin arriving at affected institutions; watch for regulatory investigations from EU data protection authorities, given the global scope of Canvas usage.
• SECURE Data Act: The House Energy and Commerce Committee is expected to begin formal markup hearings on the draft bill; privacy advocates are preparing testimony on preemption and enforcement provisions — the key sticking points that have killed previous federal efforts.
• EDPB Coordinated Enforcement (CEF 2026): National DPAs will begin formally announcing their participation and investigation targets; watch for which sectors (adtech, cloud, retail) receive the most attention in the first wave.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, and tech media.