West Pharmaceutical Services - the Pennsylvania-based S&P 500 maker of injectable pharmaceutical packaging and drug delivery components, with annual revenues over $3 billion and 10,800 employees - filed an SEC 8-K disclosing a 'material cybersecurity attack.' The company detected the intrusion on May 4, 2026, and confirmed on May 7 that attackers had exfiltrated data and encrypted certain systems. West took infrastructure offline globally for containment, engaged Palo Alto Networks' Unit 42 for forensics, and partially restored core enterprise, shipping, and manufacturing systems by May 13. No ransomware group has publicly claimed the attack, and West says it has 'taken steps intended to mitigate the risk of dissemination of the exfiltrated data.'
BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.
Skoda Auto, the Volkswagen Group's Czech-built carmaker with 34,000 employees and 27 billion euros in annual sales, disclosed that attackers exploited a flaw in its German online shop software to access customer data. The breach hit shop.skoda-auto.de, not Skoda's global systems or the Skoda Connect portal. Exposed information includes names, addresses, email addresses, phone numbers, order history, account data, and password hashes. Payment card details were not stored on the affected system. Skoda took the shop offline, patched the flaw, and engaged external forensics, but admitted its server logs cannot retrospectively confirm exactly what data was copied out during the intrusion window.
OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.
Troy Hunt's Have I Been Pwned added two new ShinyHunters victims this week. Abrigo - a Texas-based fintech that builds risk, compliance, and lending software for thousands of US banks and credit unions - had 711,099 unique email addresses and 1.75 million records lifted from its Salesforce environment in April after refusing to pay the ransom. The Canada Life Assurance Company, one of Canada's largest insurers, had 237,810 accounts confirmed in HIBP from a separate ShinyHunters Salesforce breach. Both fit the pattern of the months-long ShinyHunters mass-extortion campaign that already hit Zara, Woflow, and Instructure, with stolen data sitting in third-party Salesforce tenants rather than the victims' core systems.
Foxconn confirmed Tuesday that a cyberattack hit several North American factories, with its Wisconsin Mount Pleasant facility halting production for a week starting May 1. Workers were told to power off computers and revert to paper timesheets. Nitrogen ransomware group claimed responsibility, posting 8 TB of stolen data covering 11 million files - allegedly including project documentation tied to Apple, Intel, Google, Dell, AMD, and Nvidia. Foxconn says production is resuming. This is the fourth ransomware attack on a Foxconn entity since 2020.
Update on the Canvas breach covered May 4, 8, and 12: Instructure paid an undisclosed ransom to ShinyHunters on Tuesday to stop publication of the 3.65 TB dataset covering 8,809 educational organizations and 275 million students and staff. Hours later, the US House Education Committee launched a formal inquiry requesting testimony from Instructure leadership about the breach and the decision to pay. This is the largest known education-sector ransom payment. The FBI's 'don't pay' guidance now collides with Congressional scrutiny of the payment decision.
SailPoint, the identity governance vendor used by many large enterprises, disclosed in a SEC 8-K filing that attackers gained unauthorized access to a subset of its GitHub repositories on April 20. The company's incident response team contained the intrusion the same day. SailPoint says no customer data in production or staging was accessed and its services were not interrupted. The root cause was a vulnerability in a third-party application, which has been remediated. SailPoint notified affected customers directly and says no further customer action is needed. The company has not disclosed what data was actually in the impacted repos.
The UK Information Commissioner fined South Staffordshire Water 963,900 pounds over a 2022 Cl0p ransomware breach that exposed 633,887 customer and employee records. The penalty notice reveals attackers were inside the network nearly two years before discovery - initial access happened September 2020 via a malicious email attachment, but they were not detected until July 2022 when IT performance issues triggered an investigation. The ICO found basic security failures: an unpatched ZeroLogon flaw on two domain controllers, no principle of least privilege, an outsourced SOC monitoring just 5 percent of the IT estate, and Windows Server 2003 boxes still running in production.
Instructure confirms that ShinyHunters exploited multiple cross-site scripting flaws in Canvas to deface school login portals on May 7, demanding the company and individual schools negotiate ransom by May 12. The flaws are in user-generated-content features of the free Free-for-Teacher Canvas environment and let the attacker grab authenticated admin sessions. This was a second hit following the original breach disclosed a week earlier that ShinyHunters claims netted 3.6 terabytes covering 8,809 educational organizations and 275 million student, teacher, and staff records. Instructure has taken Free-for-Teacher offline and applied additional safeguards; main Canvas has been restored since May 9.