Canvas owner Instructure said in the United States [AMER] that it reached an agreement with ShinyHunters after stolen education-platform data was claimed from thousands of schools. Investigators now need to preserve portal defacement records, Free-For-Teacher account telemetry, negotiation timelines and customer-notification evidence to test deletion claims and determine whether downstream extortion risk remains (Source: Reuters, 12-05-2026).

The UK Information Commissioner’s Office found in England [EMEA] that a water company failed to detect attackers inside its network for nearly two years before performance degradation exposed the compromise. The case underlines the evidential value of long-retention logs, endpoint baselines and operational-technology change records when reconstructing dwell time across essential-service networks (Source: The Record, 11-05-2026).

Foxconn confirmed in North America [AMER/APAC] that a cyberattack disrupted factories after the Nitrogen ransomware group claimed 8TB of sensitive supplier and customer data. Investigators should correlate manufacturing-site outages, leak-site artifacts, claimed schematics and partner exposure notices to separate verified exfiltration from extortion-stage inflation (Source: The Register, 12-05-2026).

A proposed US class action [AMER] alleged Cushman & Wakefield exposed tenant and client information after a vishing-led intrusion attributed in filings to ShinyHunters and Qilin. The litigation will turn on identity-theft evidence, voice-phishing call records, access-control logs and whether stolen Social Security, driver-license and financial data can be matched to attacker disclosures (Source: New York Post, 12-05-2026).

Instructure’s Canvas incident expanded across global education users [AMER/EMEA/APAC] as reports said attackers claimed access to data tied to nearly 9,000 schools and threatened further release. The incident matters because academic platforms concentrate minors’ personal records, institutional communications and identity data, requiring evidence correlation across tenant portals, school notices and attacker infrastructure (Source: The Verge, 13-05-2026).

West Pharmaceutical warned in the United States [AMER] that a ransomware attack was affecting operations at a company supplying containment and delivery systems to healthcare and pharmaceutical customers. Investigators should prioritise production-impact timelines, supplier communications, compromised credential evidence and recovery logs because disruption in regulated manufacturing can create both safety and evidential-chain questions (Source: The Record, 12-05-2026).

Microsoft’s May Patch Tuesday shipped worldwide [AMER] with fixes for 120 vulnerabilities and no reported zero-days, including critical remote-code-execution and privilege-escalation issues. Patch validation teams should map exploited-path potential against estate inventories, collect pre-patch exposure evidence and preserve failed-update telemetry for later compromise assessment (Source: BleepingComputer, 12-05-2026).

RubyGems temporarily suspended new account registrations globally [EMEA/AMER] after threat actors published hundreds of malicious packages and maintainers described the activity as a DDoS-linked abuse campaign. Package investigators should capture namespace histories, publisher metadata, dependency graphs and install telemetry quickly because registry clean-up can erase artifacts needed to prove downstream compromise paths (Source: SecurityWeek, 13-05-2026).

The US Federal Trade Commission issued consumer guidance [AMER] after the Canvas cyberattack, warning students and families that personal information may have been exposed. The alert gives investigators a public baseline for victim-notification timing, fraud indicators and identity-protection advice that can be compared with school communications and attacker claims (Source: FTC, 12-05-2026).

Dutch reporting said the Netherlands’ data-protection authority found a healthcare laboratory [EMEA] failed security requirements before a cyberattack, adding regulatory scrutiny to incident reconstruction. Forensic teams should expect close examination of access controls, breach-notification chronology, patient-data handling and whether missing safeguards materially increased the scale of compromise (Source: NL Times, 13-05-2026).

Japan’s prime minister ordered a government cybersecurity review [APAC] after concerns that advanced vulnerability-finding AI could accelerate attack scale and speed. The policy signal matters for investigators because faster exploit discovery compresses evidence-preservation windows and increases the need for pre-positioned logging, coordinated disclosure records and repeatable triage standards (Source: The Register, 12-05-2026).

SAP published its May Security Patch Day update from Germany [EMEA], listing critical notes for Commerce Cloud and Forecasting & Replenishment among other enterprise systems. Enterprise investigators should document vulnerable module exposure, transport histories and compensating controls before remediation, because patch timing can become central evidence after ERP-linked intrusion or fraud investigations (Source: SAP, 12-05-2026).