Mass third-party exposures: Xsolis, Texas Parks & Wildlife, Canvas

Three large data exposures all traced to a third party rather than the named organisation: Xsolis (1.4M patients via a healthcare-AI processor), Texas Parks & Wildlife (3.08M licence holders via an unnamed licence-sales vendor, with a public-vs-AG-filing SSN contradiction noted in § 11), and the Canvas/Instructure LMS breach (160 UK universities). The recurring control gap is vendor data-minimisation and breach-notification SLAs.