Approximately 6 million customers of Carnival Corporation were affected by a breach that began with a social engineering ploy that deceived an employee and allowed malicious actors to access part of the company’s IT systems.
Instructure and Canvas: two incidents, a ransom payment
Learning management company Instructure discovered a breach of its Canvas platform on Apr. 29. The compromised information included names, email addresses, student ID numbers and messages exchanged between users. A few days after that discovery, Instructure experienced a second Canvas incident in which attackers were able to display a message on a webpage when users logged in; that second event reportedly did not compromise any data. Security reporting notes the organization paid a ransom to the threat actors as a result of the initial data breach.
Carnival Corporation: social engineering, ShinyHunters, and conflicting counts
Carnival Corporation disclosed that roughly 6 million customers were affected after a social engineering operation deceived an employee and allowed access to part of the company’s IT systems. The criminal group ShinyHunters claimed responsibility and asserted it had stolen 8.7 million records — a higher figure than the company’s published estimate. The discrepancy between the company's figure and the actor’s claim is recorded plainly in the reporting.
Foxconn and Nitrogen: claim of 11 million records, named customers flagged
The ransomware group Nitrogen claimed to have stolen 11 million records from electronics manufacturer Foxconn. Foxconn confirmed it had faced a cyberattack. Reporting lists potentially impacted customers named by the incident: Intel, Dell, Apple and Nvidia.
Ransomware exfiltration: West Pharmaceutical Services and American Lending Center
On May 4, West Pharmaceutical Services discovered it had been the victim of a ransomware attack. At the time of discovery the company determined certain data had been exfiltrated, though the extent of the affected data remained unknown in the reporting; there was no evidence at that time of unauthorized or malicious activity against customers. Separately, American Lending Center notified consumers in April 2026 of a breach that had originally been discovered in July 2025; that incident was the result of a ransomware attack and initial reports indicate about 123,000 individuals are believed to be impacted.
GitHub and 7‑Eleven: internal repositories and franchisee documents exposed
GitHub reported a compromise when an employee device was breached, leading to a compromise of roughly 3,800 internal repositories. The group behind that incident stated they do not intend to extort GitHub; instead, the actors said they plan to sell the data to a single buyer. In a separate consumer-facing matter, convenience store chain 7‑Eleven experienced a breach of franchisee documents, potentially exposing data contained in franchise applications. Customers were not believed to be affected at the time of reporting, but 7‑Eleven has been sued after the group ShinyHunters claimed to expose more than 600,000 records.
What this means for technologists, enterprise leaders, and consumers
- Technologists and security teams: incidents in this collection underscore attention points from social engineering (Carnival) to employee-device compromise (GitHub) to cross-organizational exposure of customer or partner records (Foxconn). Teams will be watching for follow-up details about exfiltration scope — notably the unknown extent at West Pharmaceutical Services — and how claimed record counts (Nitrogen’s 11 million, ShinyHunters’ 8.7 million and 600,000 figures) compare with vendor disclosures.
- Affected enterprises and procurement leaders: several organizations in this set faced ransomware or extortion decisions; Instructure paid a ransom and some attackers signaled intent to sell rather than extort. Procurement and legal leaders will be tallying contractual exposures where vendor incidents could implicate named customers (for example, Intel, Dell, Apple and Nvidia in the Foxconn notice).
- Consumers and end users: impacted categories vary by incident — names, emails, student IDs and user messages in the Canvas breach; millions of Carnival customers; roughly 123,000 American Lending Center customers; and franchisee application materials at 7‑Eleven. Consumers will be watching corporate notifications and any remedial offers such as identity protection or credit monitoring.
The May 2026 round of incidents presents a mix of clarity and ambiguity: some companies have acknowledged breaches and named at least part of the exposed data, while several threat actors have published differing totals or declared intent to sell data rather than extort. Key open questions in the reporting are straightforward and specific — how extensive was the West Pharmaceutical Services exfiltration, which of Foxconn’s customers were materially affected, and why do actor-claimed record counts differ from company estimates in the Carnival and 7‑Eleven incidents — and the answers will shape what follows for victims, customers and the security teams that defend them.
https://www.securitymagazine.com/articles/102284-7-data-security-stories-to-know-about-may-2026
