// #breach
7 articles
Instructure Confirms ShinyHunters Exploited Canvas LMS to Deface University Login Portals in Mass Extortion Campaign
Instructure has confirmed that the ShinyHunters threat group exploited a vulnerability in Canvas LMS to deface login portals across multiple university clients with extortion messages. The attack moved beyond the data exposure incident disclosed on May 3 into active defacement — university login pages were replaced with ransom demands visible to students and staff. Instructure is notifying affected institutions and has issued an emergency patch.
Medtronic Confirms Data Breach — ShinyHunters Claims 9 Million Medical Device Patient Records Stolen
Medtronic, the world's largest medical device manufacturer, has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen nine million patient records. The breach includes patient names, device serial numbers, implant dates, clinic details, and in some cases diagnostic data from cardiac, diabetes, and spinal device programmes across 150 countries. Regulatory notifications under HIPAA, GDPR, and MDR are expected.
Rituals Cosmetics Discloses Data Breach — Up to 40 Million My Rituals Members' PII Potentially Exposed
Amsterdam-based luxury cosmetics brand Rituals has disclosed a breach of its My Rituals membership platform affecting potentially up to 40 million registered members across its 1,170-plus retail locations in 37 countries. Exposed data includes names, contact details, date of birth, gender, and purchase history. The breach carries significant GDPR obligations as Rituals is headquartered in the EU.
Itron Smart Grid Giant Discloses Internal IT Breach via SEC Filing — Critical Infrastructure Supplier Affected
Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.
Basic-Fit Breach Exposes Personal and Bank Data of One Million European Gym Members
Dutch fitness chain Basic-Fit has disclosed a data breach affecting approximately one million members across six European countries, with bank account details among the compromised data. The breach targeted the company's visit-tracking system, exposing names, contact details, dates of birth, and banking information. GDPR notifications have been filed.
Booking.com Breach Exposes Reservation Data — Phishing Wave Follows
Booking.com has disclosed unauthorised access to customer reservation data including names, contact details, and booking information. No payment data was taken, but the exposed reservation details create a high-quality dataset for targeted travel-themed phishing campaigns. Reservation PINs have been reset across affected bookings.
Cyberattack Hits European Commission Europa Web Platform — Data Taken From Hosted Websites
The European Commission confirmed on 27 March that a cyberattack struck the cloud infrastructure hosting the Europa web platform on 24 March 2026, with early forensic findings indicating data was exfiltrated from affected websites. The Commission operates hundreds of websites across the europa.eu domain hosting EU policy documents, consultation portals, and public databases. The incident is under investigation.