This Week in Privacy: Apr 27 - May 3, 2026

The week's biggest story wasn't a single massive breach, but rather a troubling pattern: hackers, regulators, and courts all exposed how companies continue to fail at basic data protection. From a 15-year-old allegedly stealing millions of government records in France to billion-dollar losses from social media scams, this week showed that digital security remains deeply broken across multiple sectors.

Top Stories

Schools and Students Hit by Canvas Breach

Educational technology company Instructure confirmed a data breach affecting its Canvas learning management system on May 3. The ShinyHunters extortion gang claimed responsibility, stating they exploited a now-patched vulnerability to access names, email addresses, student ID numbers, and private messages between students and teachers. Canvas serves millions of students across thousands of schools and universities, making this breach particularly concerning for families who entrust schools with their children's information. The exposure of private teacher-student communications raises questions about what sensitive educational or personal discussions may now be in criminal hands.

Meta Faces Mounting Pressure Over Child Safety

Meta faced regulatory action on multiple fronts this week. The European Commission issued preliminary findings that Facebook and Instagram have breached the EU Digital Services Act by failing to prevent children under 13 from accessing their platforms. Investigators found kids can easily bypass age restrictions by entering fake birthdates with no verification system in place, and that Meta's tools for reporting underage accounts are ineffective. Meanwhile, New Mexico entered a second trial phase seeking court-mandated changes to Meta's business practices, including mandatory age verification, prohibition of end-to-end encryption for users under 18, and a 90-hour monthly usage cap for minors. The state argues Meta has created a public health hazard. These cases represent a growing consensus among regulators that social media companies have systematically failed to protect children.

ADT Security Company Breached Through Employee Account

In an ironic twist, home security provider ADT confirmed hackers accessed customer data affecting approximately 5.5 million people. Attackers compromised an employee's Okta single sign-on account through voice phishing, then extracted names, phone numbers, home addresses, dates of birth, partial tax IDs, and the last four digits of Social Security numbers from ADT's Salesforce system. The hacking group ShinyHunters publicly leaked 11GB of data on the dark web after ADT reportedly failed to reach an agreement with them. The breach is particularly troubling because it exposed home addresses of people who specifically hired ADT to protect those homes.

Teen Arrested for Massive French Government Hack

French authorities arrested a 15-year-old suspected of hacking the National Agency for Secure Documents (ANTS), which processes passport, national ID card, and driver's license applications. The suspect, allegedly using the alias "breach3d," is accused of extracting between 12 and 18 million citizen records and advertising them for sale on cybercriminal forums. ANTS confirmed the circulated data appeared authentic, meaning a teenager potentially accessed the personal information of roughly one in five French citizens.

In Brief

* Vimeo confirmed a breach stemming from a compromise at third-party analytics vendor Anodot, with hackers threatening to release stolen user email addresses and technical information. * New York fined Delta Dental $2.25 million for failing to address a known MOVEit vulnerability that led to a breach exposing Social Security numbers and health information. * Spain's data protection authority fined Bankinter €4 million after a 2024 cyberattack on EVO Banco exposed 1.27 million customers' personal and financial data through a system migration error. * Ireland's Supreme Court ruled that TikTok can continue current data operations while appealing a €530 million fine for allegedly allowing ByteDance engineers in China to access European user data. * Roblox announced that all Indonesian users under 16 must complete facial age verification scans to continue using the platform with full features, affecting approximately 23 million accounts. * Nigeria completely waived a $32.8 million fine against Meta in a confidential settlement, with Meta only agreeing to cover legal costs despite findings it processed data from 60 million Nigerian users without proper consent. * Lloyds Banking Group compensated customers after a programming error in March allowed 114,182 people to view other users' transaction details. * The FTC reported Americans lost at least $2.1 billion to scams originating on social media platforms in 2025, an eightfold increase since 2020. * A federal judge dismissed a Justice Department lawsuit demanding Rhode Island provide detailed voter registration data, the fifth such dismissal. * Fidelity was fined $1.25 million by Massachusetts regulators after a 2024 breach exposed 77,000 people's Social Security numbers and financial data through a simple web browser manipulation. * SitusAMC faces consolidated class-action lawsuits after a November 2025 breach compromised customer records at the mortgage services provider used by JPMorgan Chase, Citi, and Morgan Stanley. * Salesforce's Slack filed an antitrust lawsuit against Microsoft in London, alleging illegal bundling of Teams with Office products.

The Big Picture

This week revealed that basic security failures continue to cause massive damage despite years of warnings. Fidelity's breach happened because someone could change a URL to see other customers' files. Delta Dental ignored warnings about a known vulnerability. A 15-year-old allegedly stole millions of government records. These aren't sophisticated nation-state attacks, they're preventable failures. At the same time, the focus on protecting children intensified across multiple jurisdictions, with regulators increasingly willing to impose structural changes on how platforms operate rather than simply collecting fines. The combination of persistent security incompetence and growing regulatory impatience suggests we're entering a period where companies will face not just financial penalties, but forced operational changes. The question is whether that pressure will finally produce meaningful improvement in how our data is protected.