Education (NL, UK, DE)

Education saw the week's clearest cross-jurisdiction concentration via the Canvas / Instructure chain (full multi-day arc in § 2): 44 Dutch institutions confirmed by SURF; seven Dutch universities (VU Amsterdam, UvA, Erasmus Rotterdam, Tilburg, TU/e, Maastricht, Twente) executed emergency Canvas disconnects on/before 2026-05-09 after the second-intrusion claim; three major UK universities (Oxford, Cambridge, Liverpool — Liverpool notified the ICO under GDPR Article 33); Dutch DPA opened a preliminary investigation; UK ICO informed. The vector — a compromised integration service account for a third-party LTI tool provider rather than Canvas core infrastructure — connects the education-sector picture directly to the third-party-credentials supply-chain class also visible in Vimeo/Anodot and Zara/Anodot (The Next Web — largest education data breach in history · NL Times — Canvas hack: 44 Dutch universities and schools · Techzine EU · daily 2026-05-10).