May 2026 saw an evolution of the cyber incidents highlighted in SWK’s previous Cybersecurity News Recaps, including more suspected hacking by Iran-backed actors and an apparent major resurgence of the notorious ShinyHunters gang over the past few months. This month also saw several other significant cyber incidents within the manufacturing industry, as well as multiple upcoming compliance deadlines, though one of the latter has been disrupted due to federal funding issues and pushback from affected parties.
Continue reading below to learn more about some of the top cybersecurity news stories from May 2026 in this recap by SWK Technologies:
Lawsuit Filed Against OpenAI for Sharing Data
A class action complaint filed in California federal court accuses OpenAI of embedding Meta’s Facebook Pixel and Google Analytics in the ChatGPT web interface, transmitting query topics, user identifiers and email addresses to those platforms without user consent. The suit argues that conversations users assumed were private — including questions about finances, health and legal matters — have been treated as marketing telemetry, in violation of the Electronic Communications Privacy Act, the California Invasion of Privacy Act and the California Constitution. The filing is one of several ongoing legal challenges being levied against AI providers, including a separate verdict dismissing Elon Musk’s claims against OpenAI on statute of limitations grounds and state-level scrutiny of other artificial intelligence vendors.
SEC Regulation S-P June 3 Compliance Deadline Approaching
Smaller financial service entities covered under amendments to the U.S. Securities and Exchange Commission’s (SEC’s) Regulation S-P must reach full compliance by June 3, 2026, the second phase of a rule that took effect for larger institutions in December 2025. The updated rule requires covered firms to adopt written incident response procedures, notify affected individuals within 30 days of a breach involving sensitive personal information and impose contractual breach-reporting obligations on service providers within 72 hours. The deadline applies to registered investment advisers with less than $1.5 billion in assets under management, smaller broker-dealers, smaller investment companies, transfer agents and funding portals, with the SEC signaling examination scrutiny in the months that follow.
ShinyHunters Hit Canvas, 7-Eleven and More Throughout 2026
ShinyHunters claimed responsibility for a breach of Instructure, the parent company of the Canvas learning management system (LMS) used by 41 percent of higher education institutions in North America, with the group asserting it stole data from roughly 275 million users across over 9000 schools. After the incident was disclosed on May 1, 2026, the hacker group hijacked Canvas login pages on May 7 to demand a settlement, disrupting finals week at institutions including Duke, Harvard, the University of Pennsylvania and the University of Wisconsin. Instructure later confirmed it had reached an agreement with the attackers and that the stolen data had been destroyed, though the terms have not been disclosed publicly. A public service announcement issued by the FBI on May 15 warned of follow-on extortion attempts tied to the same group, without referring to Canvas or Instructure directly. The same actors were also tied to a confirmed data breach at 7-Eleven that exposed franchisee documents and a breach at medical device maker Medtronic, with other 2026 victims including educational publisher McGraw Hill, Dutch telecom operator Odido and Carnival Cruises — with the Medtronic listing later removed from the leak site.
CISA Credentials Exposed in Public GitHub Folder
A contractor for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository titled Private-CISA that exposed administrative credentials for three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems and access tokens for the agency’s internal software artifactory. The exposure was flagged on May 15 by a researcher at GitGuardian after the account owner failed to respond to automated alerts, with the contractor having explicitly disabled the platform’s default secret detection feature and committed to the repo since November 2025. One researcher described the incident to Krebs on Security as the worst leak of his career, citing plaintext credentials in CSV files and concern that an attacker who reached the artifactory could insert malicious code into CISA software builds. A senator on the Homeland Security Committee has requested a classified briefing on the incident, adding to scrutiny that follows earlier reporting about sensitive document uploads to ChatGPT by former acting director Madhu Gottumukkala and his subsequent polygraph dispute.
Pennsylvania Pharmaceutical Manufacturer Recovers after Ransomware
West Pharmaceutical Services, a Pennsylvania-based maker of injectable drug packaging and delivery systems, disclosed in a May 7 filing with the SEC that it had detected a material cyberattack on May 4 in which an unauthorized party exfiltrated data and encrypted certain systems. The company took portions of its network infrastructure offline globally, restricted access to enterprise systems and engaged Palo Alto Networks Unit 42 for incident response while notifying law enforcement, with shipping, receiving and manufacturing temporarily disrupted across multiple sites. By the time the company posted a mid-month update, critical processes had restarted at certain locations and the company said it had taken steps to mitigate the risk of stolen data being released. No ransomware group has publicly claimed responsibility for the intrusion, though the absence of a leak listing has prompted speculation that a ransom may have been paid.
Government Says Iran Hacked Multiple Gas Stations Across U.S.
U.S. officials suspect Iran-linked actors are behind a series of intrusions targeting automatic tank gauge systems that monitor fuel levels at gas stations across multiple states, exploiting devices that were exposed to the Internet without password protection. While there are no reports of physical damage or altered fuel levels, the breaches let intruders tamper with display readings and, in theory, allow a fuel leak to go undetected, according to experts and officials briefed on the investigation. Investigators caution that attribution may remain unresolved because of limited forensic evidence, though Iran’s history of targeting fuel and water systems makes it a leading suspect. The activity follows a six-agency advisory issued in April warning of Iranian-affiliated exploitation of programmable logic controllers (PLC) across U.S. critical infrastructure and earlier disruptions at water utilities and industrial sites.
Foxconn Confirms Ransomware Breach in North America
Taiwan-based electronics manufacturer Foxconn, a major supplier to Apple, Nvidia, Google, Dell and Intel, confirmed a cyberattack affecting several of its North American factories after the Nitrogen ransomware group listed the company on its dark web leak site. The group claimed to have stolen roughly 8 terabytes of data across more than 11 million files, including confidential project documentation, schematics and technical drawings tied to client work, with disruption reported at sites in Mount Pleasant, Wisconsin, and Houston, Texas. Foxconn said its cybersecurity team activated incident response measures, that affected facilities were returning to normal production, and analysts examining sample files said the leaked materials appeared concentrated on Foxconn’s internal engineering rather than unreleased Apple product designs. Security analysts noted that the incident fits a broader pattern of ransomware activity against manufacturers with low tolerance for downtime, with reporting on the breach pointing to long-running interest in the supplier among extortion groups.
CIRCIA May 2026 Finalization Pushed Back
CISA had targeted May 2026 to finalize its rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), though the agency has indicated that a February shutdown at the Department of Homeland Security is likely to push the timetable further. Under the proposal, covered entities would report covered cyber incidents within 72 hours and ransom payments within 24 hours, with scope reaching any business in one of 16 critical infrastructure sectors that exceeds the Small Business Administration size standard. CISA estimates the rule would apply to more than 300,000 entities and has used the additional time to host town hall meetings addressing industry concerns over scope, harmonization with other federal reporting requirements and definitions for substantially similar events.
Are You Protected Against the Latest Cybersecurity Threats?
Between Iran, resurgent ransomware gangs and AI, the cybersecurity landscape is shifting quickly, making it much more difficult for existing policies and tools to keep up with the latest threats. SWK Technologies can help keep your team and defenses up to date with emerging risks that affect your business, providing you with peace of mind in a changing digital world.
Contact SWK here to learn more about our solutions and services for managed security, and let us help you assess your tools, tighten your policies and close the gaps attackers are counting on you to miss.