ctipilot.ch

Home · Live brief · Weekly 2026-W27

Mass third-party exposures: Xsolis, Texas Parks & Wildlife, Canvas

notable incident discovered 2026-06-29 00:21 UTC

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

Three large data exposures all traced to a third party rather than the named organisation: Xsolis (1.4M patients via a healthcare-AI processor), Texas Parks & Wildlife (3.08M licence holders via an unnamed licence-sales vendor, with a public-vs-AG-filing SSN contradiction noted in § 11), and the Canvas/Instructure LMS breach (160 UK universities). The recurring control gap is vendor data-minimisation and breach-notification SLAs.

data-breach supply-chain us uk