Another recent victim of ShinyHunters is Instructure, the supplier of the Canvas learning management system, which disrupted the login portals of 330 colleges and universities during the critical college exam schedule.

According to Dataminr, ShinyHunters “claimed to have stolen 3.654TB of data affecting about 275 million individuals and 9,000 institutions worldwide.” The stolen data included names, email addresses, student ID numbers and messages, but not passwords, government IDs, birth dates, or financial data. The company admitted that the threat actors obtained access on April 29, 2026. After remediation and revoking the threat actors’ access, it identified additional unauthorized activity on May 7, 2026. The incident caused Instructure to take Canvas offline, affecting its 8,800 customers during exam season.

This is a repeated attack by ShinyHunters against Instructure. Not only did it maintain persistence in April and May, but ShinyHunters also attacked Instructure by  in September 2025, in a social engineering attack that provided the threat actors with access to its Salesforce instance.

Instructure confirmed on May 11, 2026, that it has “reached an agreement with the unauthorized actor involved in this incident” and had “received digital confirmation of data destruction (shred logs)” and that “no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” The Cybersecurity & Infrastructure Security Agency issued an alert on the incident, and Congress started an inquiry. In addition, the Federal Trade Commission (FTC) warns consumers to be cautious about texts or emails pretending to be from Canvas “to trick you into giving them your information,” and providing tips about responding to any messages related to the Canvas hack. Importantly, the FTC advises to alert children to be cautious about texts and emails. It’s a good reminder to discuss with your children how threat actors launch social engineering campaigns using the data stolen from an incident such as this one.

The spread of AI generated intimate imagery has turned what was already a serious online safety issue into a fast- moving platform governance problem. The Federal Trade Commission’s (FTC) latest stakeholder letter makes clear that covered platforms will be expected to have systems in place before enforcement begins. This week, the FTC sent a stakeholder letter to covered platforms signaling that the agency expects them to be ready by May 19, 2026, when Section 3 of the TAKE IT DOWN Act (TIDA) becomes enforceable. The letter emphasizes that platforms receiving a valid removal request must remove the reported intimate image or video, along with known identical copies, within 48 hours. The FTC also urges platforms to make requests easy to submit, including for people without platform accounts, and suggests request-level tracking so users, platforms, and law enforcement can identify the same takedown matter. The enforcement message is direct: TIDA violations will be treated as FTC rule violations and may carry civil penalties of up to $53,088 per violation.

TIDA applies to certain websites, online services, apps, and mobile applications that serve the public and primarily provide a forum for user-generated content, or that regularly publish, curate, host, or make available nonconsensual intimate depictions. It covers both authentic intimate visual depictions and “digital forgeries,” including AI-generated or technologically altered intimate images that appear indistinguishable from authentic depictions. Covered platforms must maintain a clear, conspicuous, plain-language notice-and-removal process that allows an identifiable individual, or an authorized representative, to request removal of nonconsensual intimate content.

Once a valid request is received, the platform must act as soon as possible and no later than 48 hours remove the content and make reasonable efforts to remove known identical copies. Forty-eight hours is not much time to verify a request, locate reported content, identify known identical copies, coordinate internal teams, and document the response. This means that covered platforms should act now, including mapping where covered content can appear, making reporting channels easy to find and use, assigning clear internal ownership, testing duplicate-detection tools, and deciding how request tracking, records, vendor support, and hashing will work in practice. Before the first 48-hour clock starts, the process should already be built, tested, and ready to run.

TIDA is another example of privacy, safety, and AI governance converging into concrete operational obligations. Companies should not treat this as a narrow content-moderation issue. Compliance may require intake workflows, identity and authorization checks, escalation paths, duplicate-detection capabilities, documentation, and defensible timing controls. Platforms should also assess whether hashing or similar tools can help prevent re-uploads, while accounting for the privacy, security, and retention risks that come with handling highly sensitive images. More broadly, regulators are signaling that user-safety obligations need to be built into product design, not handled only after complaints arrive. For companies in scope, the work now is to understand where this content can surface, align reporting channels, moderation tools, records, and vendor support, and make sure the response process works before the clock is running.

California regulators have announced a major privacy settlement with General Motors (GM) over allegations that the company unlawfully sold the location and driving data of hundreds of thousands of Californians to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The settlement, subject to court approval, requires GM to pay $12.75 million in civil penalties and imposes significant restrictions on how the company may use, retain, and share consumer driving data. According to the complaint, GM collected the data through OnStar and allegedly failed to provide adequate notice to consumers, despite statements suggesting that driving and location data would not be sold or would only be disclosed for insurance purposes at the consumer’s direction.

The settlement highlights the growing privacy risks associated with connected vehicles. As San Francisco District Attorney Brooke Jenkins stated, “Modern cars are rolling data collection machines.” Location data can reveal highly sensitive details about a person’s daily life, including where they live, work, worship, receive medical care, or take their children to school. California officials alleged that GM retained driving and location data longer than necessary and then sold it to data brokers that intended to use it for driver-rating products marketed to auto insurers. Although investigators determined that California drivers were likely not subject to increased premiums because California law restricts the use of driving data for insurance rates, the alleged conduct still raised serious concerns under the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law.

The settlement is especially notable because it is the California Department of Justice’s first enforcement action focused on the CCPA’s data minimization principle. Under the settlement terms, GM must stop selling driving data to consumer reporting agencies for five years, delete retained driving data within 180 days except for limited internal uses or where consumers provide affirmative, express consent, request deletion from LexisNexis and Verisk, and maintain a robust privacy compliance program. For companies collecting connected device data, the message is clear: collect only what is needed, explain data practices clearly, honor consumer rights, and do not repurpose sensitive data without proper notice and consent. To read the full settlement click here.

Pennsylvania’s lawsuit against Character Technologies, Inc., is a notable early test of how professional licensing laws may apply to consumer-facing AI chatbots. The Commonwealth, acting through the Department of State and State Board of Medicine, filed a Petition for Review in the Commonwealth Court of Pennsylvania seeking to restrain what it alleges is the unlawful practice of medicine under the state’s Medical Practice Act. The case centers on Character.AI, a website and mobile application that allows users to interact with customizable AI characters powered by a large language model (LLM).

According to the complaint, Character.AI is widely available, has more than 20 million monthly active users worldwide, and hosts more than 18 million unique chatbot characters created by users. The Commonwealth alleges that some of those characters purport to be health care professionals, including a chatbot named “Emilie,” described on the platform as “Doctor of psychiatry. You are her patient.” As of April 17, 2026, “Emilie” allegedly had approximately 45,500 user interactions on the Character.AI platform.

According to the investigation description in the complaint, a Pennsylvania professional conduct investigator created a free Character.AI account while located in Harrisburg, searched the platform for “psychiatry,” and selected “Emilie.” When the investigator said he felt sad, empty, tired, and unmotivated, “Emilie” mentioned depression and asked whether he wanted to book an assessment. The chatbot allegedly said an assessment was within her remit “as a Doctor,” claimed medical training and psychiatric licensure in the United Kingdom, represented that she was licensed in Pennsylvania, and provided a Pennsylvania license number that the complaint says was not valid.

The broader issue is not simply whether a chatbot gave bad advice, but whether an AI character can cross the line from roleplay into conduct regulated as medicine. Pennsylvania argues that Character Technologies engaged in unauthorized practice because the AI system held itself out as a licensed medical doctor and used the title of psychiatrist without a valid Pennsylvania license. If the court accepts that theory, the case could become an important warning to AI platforms: disclaimers may not be enough where a product allows bots to claim professional credentials, offer assessments, or present fake license numbers to users seeking health-related guidance. To read the complaint click here.

According to HaveIBeenPwned, ShinyHunters targeted fashion brand Zara in a cyber-attack  and claimed that it had stolen 197,000 unique email addresses, product SKUs, order IDs, and the originating market. The incident involved a former technology provider (AI analytics platform Anodot) for Zara’s parent company, Inditex, which resulted in the exposure of the personal information. ShinyHunters claimed to have leaked 140GB of data, which is reported to have included compromised authentication tokens for Anodot users.

Inditex has confirmed that no customer names, passwords, phone numbers, addresses, or payment information (bank cards) were compromised in the incident. Inditex has also confirmed that its core operations and systems were not impacted.

ShinyHunters continues to wreak havoc in all industries, and its techniques of compromising authentication tokens is a warning to organizations to prioritize prevention of authentication token incidents. Obsidian has provided a basic summary of how token-based attacks work, and tips on how to prevent them.

Global medical device company Medtronic recently confirmed that it had been attacked by the threat actor group, ShinyHunters. According to Bleeping Computer, Medtronic is “the largest medical device maker in the world by revenue ($33.5 billion) and also develops healthcare technologies and therapies.”

ShinyHunters alleges that it has stolen over nine million Medtronic records containing personal information, and “terabytes of internal corporate data”.

Medtronic acknowledged the incident but confirmed that its customers, products, and operations have not been affected, and that “hospital customer networks remain separate from Medtronic IT networks and are secured and managed by customers’ IT teams.”

Medtronic is investigating the incident.

The Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have confirmed that threat actors are using FIRESTARTER malware to maintain persistence on Cisco network devices, allowing the threat actors to maintain access even after patching and reboots. 

FIRESTARTER malware targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, which were previously compromised prior to September 2025. 

FIRESTARTER malware enables a persistent backdoor by hooking into the device’s core engine, allowing it to survive firmware updates, software upgrades, and regular reboots. It maintains persistence by detecting shutdown signals and automatically re-installing itself, so typical remediation methods fail. 

The threat actor is believed to be a state-sponsored threat actor known as UAT-4356. The attackers exploited CVE-2025-20333 (RCE) and CVE-2025-20362 (Auth Bypass) to install the malware. Because Firestarter survives standard patches, CISA warns that patching alone is insufficient if the device was compromised before a patch was installed. It recommends several measures, including physically unplugging the device from all power sources (including redundant power) for at least one minute. In addition, CISA and Cisco recommend completely wiping and reimaging affected Cisco devices to ensure the malware is completely removed.

The Driver’s Privacy Protection Act (DPPA) may not draw as much regular attention as statutes like the VPPA, CCPA, or TCPA, but it remains a source of privacy litigation risk where motor vehicle record information is involved. The DPPA is a federal law that limits how personal information from state motor vehicle records may be obtained, disclosed, or used, and it allows individuals to sue over alleged misuse of that information.

In Cicale v. Professional Parking Management Corporation, No. 24-61146-CIV-SINGHAL (S.D. Fla. May 1, 2026), the plaintiff alleged in 2024 that a parking management company used license plate reader technology in private lots, matched plate numbers to Department of Motor Vehicles (DMV) records and then mailed parking charge notices to vehicle owners without first obtaining written consent. He claimed the notices were designed to resemble official citations, demanded $90 plus a $4.99 surcharge, and warned that nonpayment could lead to collections, booting, or towing. The complaint sought to represent a nationwide DPPA class and also asserted Florida consumer protection claims.

In an order entered on May 1, 2026, the District Court in the Southern District of Florida did not decide whether the company’s alleged access to DMV records violated the DPPA. Instead, the court held that the plaintiff had not alleged the kind of concrete injury needed to proceed in federal court. The order found that broad assertions of distress, annoyance, and privacy harm were too conclusory, and it rejected the plaintiff’s attempt to compare access to DMV records with a traditional invasion-of-privacy claim under Florida law. The court also rejected the claimed financial injury, reasoning that the plaintiff parked, left without paying, and then paid a bill he owed. The court dismissed the complaint and closed the case.

The decision underscores that, in DPPA litigation, a plaintiff must show real harm, not just alleged misuse of motor vehicle data. For businesses that use vehicle or location-related data in billing, enforcement, or operations, that means the fight may center as much on injury as on the underlying data practice. For now, this claim is parked.

California companies may have less time than they think to prepare for privacy audits. The California Privacy Protection Agency’s (CPPA) new Audits Division, created in February 2026, is expected to begin assessing companies’ compliance with the California Consumer Privacy Act (CCPA) this year, according to Executive Director Tom Kemp. This is a notable remark because—while the formal deadline to submit cybersecurity audit certifications does not begin until 2028 for some businesses—the CPPA expects companies to already be building and maintaining real audit-ready compliance programs.

So, what will these audits likely look at? The CPPA has not laid out a full roadmap, but recent comments suggest the CPPA may focus on practical problem areas that have already drawn enforcement attention. That includes whether consumers can actually exercise their rights to access, correct, delete, and opt out, whether privacy policies are accurate and complete, and how businesses handle newer risk areas like chatbots, large language models, surveillance pricing, and sensitive data. Auditors may also review a company’s cybersecurity program, internal governance, systems, and vendor relationships. If they find serious gaps, those issues could be referred for enforcement, where penalties have already reached six and seven figures.

The messaging is clear: if your organization does business in California or operates nationally, it’s time to stop treating audit obligations as a future paperwork exercise and start treating them as a present compliance priority. Companies should assess whether the rules apply to them, test whether their cybersecurity program is properly documented and owned by qualified personnel, and align their audit readiness work with California’s separate risk assessment requirements. These audits may be new, but the expectation to be prepared is already here.

Fashion, beauty, and wearable technology brands are heading into 2026 with a lot more to think about concerning data privacy. What used to feel like a back-end legal issue is now shaping how companies design products, personalize experiences, and build trust with customers. With new state privacy laws taking effect in Indiana, Kentucky, and Rhode Island, updates to California’s rules, and more changes expected across the country, brands can no longer afford to treat privacy as a simple compliance exercise. For companies, being open and thoughtful about data practices can actually become a real point of differentiation.

The biggest pressure points are clear: biometric data, consumer health and wellness data, children’s privacy, and AI are all facing increased scrutiny this year. For brands using virtual try-on tools, skin analysis, body scanning, wearables, or AI-powered personalization, the compliance stakes are especially high because many of these tools rely on sensitive personal information. At the same time, regulators are paying closer attention to targeted advertising, cookies, and tracking technologies, while class-action lawsuits tied to tools like pixels and similar technologies continue to rise. That means companies need to think carefully not just about what data they collect, but why they collect it, how they disclose it, and whether users are given real, meaningful choices.

The good news is that strong privacy practices can do more than reduce legal risk. They can strengthen brand reputation and deepen consumer loyalty. Companies that invest in privacy by design, clear consent flows, transparent notices, thoughtful AI governance, and stronger controls around children’s and health-related data will be better positioned to keep up with fast-moving laws and consumer expectations. Privacy is not just about compliance; it’s about earning trust in a way customers can see and value. For brands operating in California, that also means ensuring their privacy programs align with the California Consumer Privacy Act’s requirements around notice, consumer rights, and meaningful choices about how personal information is collected, used, and shared.