The Canvas Mega-Breach, the Kochava Ban, and the DROP Countdown

For CISOs and Chiefs of Staff, the throughline is direct: the same personal data that ends up in school records, marketing files, and broker databases is what attackers buy or steal to socially engineer your employees, your customers, and your students. Reducing that data footprint is no longer a 'nice to have' privacy line item — it's an enforceable obligation in California, an FTC consent-order template, and the operational fix for a breach the size of Canvas.

1. Canvas: 275 million records, 8,809 institutions, two ransoms in a week

On May 7, students opening their Canvas course sites at Columbia, Princeton, Harvard, Georgetown and thousands of K-12 districts saw a ransom note where their assignments used to be. Per Instructure's own statements summarized by CNN, the attackers — the ransomware crew ShinyHunters — claimed to have stolen 3.65 terabytes of data covering roughly 275 million users.

The compromised dataset includes usernames, email addresses, student ID numbers, course enrollments, and private messages between students and teachers. Instructure says it has found no evidence that passwords, dates of birth, government IDs, or financial information were taken. The Wikipedia incident timeline catalogues the chain of events: a May 1 initial breach, a May 3 ransom note, a May 6 'back to normal' announcement from Instructure, and then a second compromise on May 7 that defaced the public login page. On May 11 the company apologized for opaque communications and claimed the stolen data had been 'destroyed' under terms it has not disclosed.

Two practical consequences for the privacy program of any organization in higher ed, K-12, or workforce-development:

Student and staff PII is now in criminal hands and almost certainly in broker pipelines. Names plus institutional email addresses plus enrollment metadata are exactly the inputs a spear-phisher needs. Expect targeted credential-harvesting campaigns at affected institutions through the rest of 2026.

Vendor-risk reviews need an 'impact-of-a-second-breach' question. Instructure was breached twice in one week. The Canvas case is a reminder that ransomware crews do not always leave after the first negotiation; 'the data is destroyed' is a claim, not a control.

2. The FTC bans Kochava from selling sensitive location data

While the Canvas story dominated headlines, the bigger long-term signal came on May 4. The Federal Trade Commission announced a proposed order banning Kochava and its successor entity Collective Data Solutions (CDS) from selling, licensing, transferring, sharing, or disclosing sensitive location data without 'affirmative express consent' — and even then, only for a service the consumer directly requested.

The order is the resolution of a 2022 lawsuit alleging Kochava sold precise location data from hundreds of millions of mobile devices, including tracks that could be used to identify visitors to reproductive-health clinics, addiction-recovery facilities, places of worship, and domestic-violence shelters. The full settlement, summarized clearly by Privacy Guides, also requires Kochava and CDS to:

Build a 'sensitive location data program' with a comprehensive list of places whose visitors must never be sold;

Run a supplier-assessment program to verify upstream consent;

File incident reports to the FTC when third parties violate contractual restrictions;

Honor opt-outs and tell consumers which third parties received their data.

This is the strongest restriction the FTC has placed on a US location broker, and it builds on the agency's earlier PADFA warning letters to 13 data brokers about selling sensitive data to entities tied to foreign adversaries. Read together, the two actions form a clear federal-enforcement template that any sensitive-location-data seller should expect to see again — at up to $53,088 per violation under PADFA, and an open-ended consent-order remedy under Section 5.

For a deeper comparison of what the broker-removal market actually delivers post-Kochava, see our DeleteMe vs Priwall vs Optery vs Incogni 2026 comparison.

3. The DROP clock: California's first-of-its-kind deletion platform launches August 1

The third signal is the one most data brokers are quietly preparing for. California's Delete Request and Opt-out Platform (DROP) — the operational arm of the state's Delete Act — switches on August 1, 2026.

The California Privacy Protection Agency's overview describes DROP as 'the first system in the nation that allows you to send a single deletion request to every registered data broker in California.' More than 500 brokers must pull the hashed-identifier deletion list at least every 45 calendar days, match against their records, execute deletions, and report status back.

The headline number, surfaced at the 2026 IAPP Global Summit and analyzed by Perkins Coie, is what should focus broker boardrooms: with roughly 260,000 deletion requests already queued and a $200-per-day-per-consumer statutory penalty, a single missed cycle theoretically exposes one broker to up to $1.5 billion. Pending legislation (SB 1106) would compress the processing window from 45 days to 30, which would shrink the consumer-side roundtrip closer to 60 days.

Two state-level developments rhyme with DROP:

Vermont's H.211, now in effect per ZwillGen's regulatory recap, raises the data-broker registration fee to $900, lifts the per-day failure-to-register penalty to $200 with no cap, and adds a $25,000 penalty for materially incorrect registration filings.

Twenty states now have comprehensive consumer-privacy laws in effect, per MultiState's 2026 tracker, with Indiana, Kentucky, and Rhode Island the newest entrants.

What to do this quarter

Three concrete actions, sized for different roles:

If you are a CISO or Chief of Staff at an institution touched by Canvas: treat the breached PII as actively in adversary hands. Run a 30-day spear-phish tabletop using affected email patterns, and audit which third-party data brokers carry the exposed employees and students. Priwall by mePrism is built for that audit.

If you operate or partner with any sensitive-data broker: read the Kochava order line by line. The 'sensitive location program' plus supplier-assessment plus opt-out architecture is the new floor. Build it before your enforcement letter arrives.

If you are a California resident, an HR leader of California employees, or a consumer-facing brand: file your DROP request the day the platform opens. Sign up for Priwall coverage and we will operate it on your behalf, alongside our broader broker-removal workflow.

The data-broker reckoning is no longer theoretical. The Canvas breach is the operational case study; the Kochava ban is the federal template; DROP is the state-level enforcement floor. Priwall by mePrism exists to make sure your name, your executives' names, and your employees' households are not the next public exhibit.

By Thomas Daly, CEO, mePrism Privacy. Thomas leads mePrism Inc., the company behind Priwall by mePrism, and writes regularly on consumer privacy regulation and the B2B economics of data-broker removal.