May 2026 Data Blast

Online platform Canvas hit by hackers, affecting educational institutions globally 

A widely used online learning platform, Canvas, suffered a cyber attack on 7 May, causing it to be taken offline. The platform previously detected suspicious activity on 29 April and had reported it to authorities at the time.   

Canvas is used by universities and colleges, as well as some primary and secondary schools, to allow teaching staff to share materials such as course notes, assignments, and exams with students. It is also used to communicate with students about their work, and to disseminate grades.   

Instructure, the owner of Canvas, stated that data accessed by the hackers may include the full names and student numbers of users, email addresses, and personal messages. Students and faculty were being advised to change their passwords, and to be on heightened alert for phishing attempts.  

A hacker group called ShinyHunters claimed responsibility for attack, saying that the personal data of 275 million users had been accessed. ShinyHunters has been tied to previous attacks including a breach at Ticketmaster and breaches at numerous global businesses via penetration of their Salesforce accounts.   

ShinyHunter threatened to release stolen data unless it received an undisclosed ‘settlement’ payment. Underscoring the severity of the attack, the FBI issued a warning online to those affected, cautioning against engaging with or making any payment to the hackers.  

UK Biobank medical data listed for sale on Chinese website 

Medical data relating to participants in a UK scientific programme, Biobank, was listed for sale on the Chinese marketplace Alibaba. Biobank holds data from volunteers who provide their medical information to assist with the detection and treatment of dementia, Parkinson’s disease, and some forms of cancer. The story of Biobank has not been a happy one, with reports that confidential health data has been exposed online on dozens of occasions, raising questions about the safeguarding of patient records by one of the UK’s flagship medical research projects. 

Technology Minister Ian Murray said that whilst the information listed for sale did not include names, addresses, contact details or telephone numbers, it may have included gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples. 

Once the listing was discovered, it was promptly removed by Alibaba, following support from the UK and Chinese governments, according to Murray. The breach was attributed to ‘rogue’ individuals at research institutions which had been granted access to UK Biobank; those individuals and institutions had their access revoked following the incident. Sir Rory Collins, who leads UK Biobank, said that the organisation was “essentially putting science on hold” following the incident, until it could it put in place additional security measures to seek to prevent a recurrence in future.  

Canadian privacy regulators publish findings of their joint investigation of Open AI 

Canada’s federal Privacy Commissioner, along with the provincial regulators of Quebec, British Columbia and Alberta, set out the findings of a joint into ChatGPT, launched by OpenAI in 2022. The regulators’ investigation began in 2023 following a complaint that OpenAI had unlawfully collected, used and disclosed personal data without consent.  

The report concludes that OpenAI’s training of ChatGPT did not respect Canadian privacy laws; it resulted in the collection and use of sensitive personal data. The report states that the regulators had “several concerns that led [them] to find that the way in which OpenAI had initially trained ChatGPT did not respect federal and provincial privacy laws.” 

The report continued, that the data processed “could include sensitive details such as individuals’ health conditions and political views, as well as information about children” and that many of the individuals whose data was collected were unaware of that it was used in training ChatGPT. OpenAI disputed the report’s findings. 

Federal Privacy Commissioner Yeves Dufresne called for updates to Canada’s privacy laws, stating: “As AI is increasingly being integrated into personal and professional applications and while currently laws apply to AI, updated laws would help further support the safe deployment of new technologies to protect Canadians’ fundamental right to privacy.” 

Irish data protection regulator investigates Shein’s transfers of personal data to China 

The Irish Data Protection Commission (DPC) announced an investigation into the Chinese online retailer Shein over its personal data transfers to China.  

The DPC press release stated that the investigation will consider in particular whether Shein has complied with: 

• The data protection principles in Article 5 of the GDPR;   

• The transparency obligations of Article 13 of the GDPR;  

• And the requirements of Chapter V of the GDPR governing international transfers of personal data. 

The DPC sets out the basis for commencing the investigation:  

“When an individual’s personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU.    

Recent regulatory action by the DPC, together with complaints to other European supervisory authorities, has brought data transfers to China, in particular, into focus. The inquiry is an important strategic priority for the DPC and we intend to cooperate closely with our peer European Supervisory Authorities as part of the investigation.” 

The DPC has been an active regulator under the GDPR, having carried out investigations and issued fines to several global platforms, including a fine of €530 million against TikTok in relation to its internal transfers of personal data.   

For further information please contact James Tumbridge and Robert Peake.