Central Intelligence
Central IntelligenceSIGNAL FROM NOISE
Last Update: 06/03/2026 at 6:25 AM EST

Mid-day Briefing: Privacy

Friday, May 8, 2026 · 6:47 PM EDT

Key developments

KREBSONSECURITY

Canvas extortion attack disrupts schools nationwide

KrebsOnSecurity reported that attackers defaced Canvas's login page with a ransom demand, forcing Instructure to take the platform offline as schools and universities across the U.S. dealt with access disruptions. ShinyHunters claimed the campaign and threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. Instructure said the stolen data appears limited to names, email addresses, student ID numbers and user messages, and it found no evidence that passwords, birth dates, government identifiers or financial information were taken.

Why it matters

It shows how a vendor extortion attack can simultaneously expose user data and shut down core academic systems across thousands of institutions.

Sources & driving stories

KREBSONSECURITY

KrebsOnSecurity coverage

PRESS CITIZEN

Press Citizen coverage
THE RECORD

California hits GM with privacy settlement

California officials announced a $12.75 million settlement with General Motors over allegations that OnStar collected and stored driving and precise location data without affirmative consumer consent and sold it to data brokers. Regulators said GM shared hundreds of thousands of consumers' geolocations, driving behavior, names and contact information with Verisk and LexisNexis Risk Solutions from 2020 to 2024, earning about $20 million nationwide. The deal pauses sales of driving data to consumer reporting agencies for five years, requires deletion of older data and broker deletion requests, and still needs court approval to become final.

Why it matters

It sets a new benchmark for California privacy enforcement against connected-car data collection and resale.

Sources & driving stories

THE RECORD · Suzanne Smalley

The Record coverage

Worth noting

WORTH NOTING

ShinyHunters moved deadline to May 12

The group is still pressing schools to negotiate, keeping leak pressure active for another week.

WORTH NOTING

Some campuses postponed finals

Columbia, Rutgers and other schools had to reschedule exams and assignments as Canvas access remained unstable.

Still unclear

OPEN QUESTION

How much Canvas data was exfiltrated?

Instructure says sensitive fields were not seen, but the full scope of the breach and whether attackers retained access remain unclear.

OPEN QUESTION

Will other automakers face similar CCPA action?

The GM settlement could preview broader California scrutiny of connected-vehicle data sales to brokers and insurers.