TL;DR

Three major breaches hit this week — Nike lost 1.4 TB of proprietary data, Brightspeed saw over a million customer records hit by ransomware, and Canvas suffered a 3.65 TB breach affecting 275 million users. The connecting thread? Compromised credentials, massive dwell time, and attackers who increasingly bypass perimeter defenses by exploiting trusted relationships. If your business still treats cybersecurity as an annual compliance checkbox, these breaches explain exactly why that approach is failing.​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌

The Nike Breach: 1.4 TB of Crown Jewels Gone

On May 19, 2026, Nike confirmed it was investigating a potential data breach after the cybercrime group WorldLeaks publicly claimed to have stolen approximately 1.4 terabytes of internal data. The haul reportedly includes more than 188,000 files spanning product design blueprints, manufacturing specifications, supply chain contracts, and operational documents.

What happened: WorldLeaks operates as an extortion-first group — rather than encrypting systems and demanding ransom for decryption keys, they steal data and threaten to publish it unless the victim pays. This model has surged in 2026 because it works even against organizations with robust backup strategies. You cannot restore your way out of a d

ata leak.​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌

How bad was it: 1.4 TB of intellectual property and supply chain data represents years of competitive advantage handed to adversaries. Product designs, vendor pricing, manufacturing processes — this is the kind of information that ends up on competitor desks or in knockoff factories within weeks. Nike's market capitalization and brand trust both face material risk.

How it could have been prevented: Data loss prevention (DLP) tools monitoring for bulk exfiltration events. Network segmentation that limits lateral movement from any single compromised account. Anomaly detection on data access patterns — no legitimate user needs to download 188,000 files in a single session.

What your business should do this week: Audit which accounts have access to your most sensitive intellectual property. If a marketing intern can reach engineering drawings, you have a segmentation problem. Implement alerts for bulk data downloads and establish a data classification system so you at least know what you would lose.

Brightspeed Ransomware: A Million Customers Exposed

Telecommunications provider Brightspeed disclosed a ransomware attack in mid-May 2026 attributed to the Crimson Collective, a relatively new but aggressive cyber extortion group. The breach allegedly affected more than one million users, with customer personal information potentially compromised alongside operational disruption.

What happened: Crimson Collective deployed ransomware that encrypted Brightspeed's systems while simultaneously exfiltrating customer data — the now-standard double-extortion playbook. Even if Brightspeed restores from backups, the threat of publishing customer data remains. The group is part of a growing wave of ransomware operations that emerged in late 2025 and early 2026, filling gaps left by law enforcement disruptions of established groups.

How bad was it: Beyond the immediate operational disruption, Brightspeed faces regulatory scrutiny across multiple states. Telecom providers handle sensitive customer data including addresses, billing information, and in some cases social security numbers. At one million affected users, the breach notification costs alone — letter printing, mailing, credit monitoring subscriptions, call center staffing — could easily exceed several million dollars before any regulatory fines or legal settlements.

How it could have been prevented: Ransomware actors overwhelmingly enter through phishing emails, unpatched VPN appliances, or compromised remote access tools. Brightspeed's exact entry vector remains under investigation, but the pattern is consistent: enforce phishing-resistant multi-factor authentication on all external-facing services, patch critical vulnerabilities within 48 hours of disclosure, and segment networks so ransomware cannot propagate from a compromised workstation to customer databases.

What your business should do this week: Verify that every internet-facing service — VPNs, remote desktops, webmail, admin panels — requires phishing-resistant MFA (hardware keys or passkeys, not SMS). Check your patching cadence. If you are still running VPN software with known CVEs from 2025, you are accepting unnecessary risk.

The Canvas Breach: 275 Million Users and a Familiar Attacker

The hacking group ShinyHunters claimed responsibility for a devastating breach of Canvas, the learning management system used by educational institutions worldwide. The attackers reportedly stole 3.65 terabytes of data from approximately 275 million users, including private messages exchanged between students and educators.

What happened: ShinyHunters is the same group behind the Canada Life breach in April 2026, where they accessed personal information of 70,000 people through a compromised employee account. Their operational pattern is consistent: identify a target with large data stores, gain access through stolen credentials or social engineering, exfiltrate quietly, then announce the breach on dark web forums to maximize pressure. The Canvas breach follows this playbook precisely.

How bad was it: 275 million user records including private messages creates a privacy nightmare. Educational data is particularly sensitive — it includes student performance records, personal communications, and in some cases disability or health information shared in academic contexts. Regulatory exposure spans multiple jurisdictions, and the reputational damage to Canvas as a trusted educational platform is severe.

How it could have been prevented: The compromised employee account pattern demands stricter identity controls. Privileged access management (PAM) solutions that rotate credentials, session recording for admin accounts, and behavioral analytics that flag login anomalies — such as an employee account suddenly accessing bulk user data from an unusual location — all represent defenses that could have stopped this attack.

What your business should do this week: Review all admin and privileged accounts. Disable any that are unused. Implement session timeouts and require re-authentication for sensitive data access. If you use a third-party platform that stores large volumes of customer data, ask them directly about their access controls and breach history. Their security posture is your security posture.

The Pattern Connecting These Breaches

Look past the individual company names and three clear attack patterns emerge from this week's incidents:

Compromised credentials remain the number one entry vector. Whether through phishing, credential stuffing, or stolen session tokens, attackers are walking through the front door using legitimate login details. MFA adoption is improving but still inconsistent, and SMS-based MFA is increasingly bypassed by SIM-swapping and adversarial-in-the-middle attacks.

Data theft extortion is replacing traditional ransomware. WorldLeaks, Crimson Collective, and ShinyHunters all prioritize data exfiltration over encryption. This trend means that even organizations with perfect backups still face catastrophic losses. Your backup strategy protects availability. It does nothing for confidentiality.

Third-party and platform risk is compounding. Canvas hosts data for thousands of educational institutions. A single breach cascades to every school, university, and student on the platform. The same pattern applies to your business — your CRM, your accounting software, your cloud hosting provider. Every third party in your technology stack is an extension of your attack surface.

The Australian Cyber Security Centre (ACSC) has repeatedly emphasized that supply chain attacks tripled between 2024 and 2026. Third-party involvement now appears in approximately 30% of all reported breaches globally, according to recent analysis by DeepStrike. This is not a theoretical risk. It is the dominant threat model of 2026.

FAQ

Is my small business really at risk from these types of attacks?

Yes. Ransomware groups increasingly target small and mid-sized businesses because they often lack dedicated security teams and are more likely to pay ransoms quickly. The average ransomware payment for businesses under 500 employees exceeded $150,000 in early 2026 according to VikingCloud research. Attackers also use SMBs as stepping stones to reach larger supply chain partners.

What is the single most effective thing I can do this week?

Enable phishing-resistant multi-factor authentication on every external-facing service your business uses. This one step blocks the majority of credential-based attacks. Prioritize email, VPN, and any admin console. If you currently use SMS for MFA, upgrade to authenticator apps or hardware keys.

How do I assess my supply chain risk?

Start by listing every third-party service that handles your data or has access to your network. For each one, verify they have: current SOC 2 or ISO 27001 certification, a published vulnerability disclosure policy, and contractual obligations to notify you of breaches within 72 hours. If they cannot provide these, you have identified your weakest link.

What should I do if we experience a breach?

Isolate affected systems immediately to prevent further data loss. Contact your cyber insurance provider and a qualified incident response firm. Do not attempt to negotiate with attackers directly. In Australia, report the incident to the ACSC through their online portal. Document everything — your response timeline matters for regulatory compliance and legal defense.

Conclusion

Nike, Brightspeed, and Canvas are not cautionary tales for other large enterprises. They are proof that the same attack patterns — stolen credentials, excessive access privileges, and inadequate data monitoring — continue to succeed against organizations of every size and budget. The difference between a breach that makes national news and one that quietly forces a small business into bankruptcy is primarily a matter of scale, not technique.

Your action items for this week are straightforward: audit privileged access, enable phishing-resistant MFA everywhere, and start mapping your third-party risk. None of these require a massive security budget. They require attention and consistency.

If you are unsure where your business stands, do not wait for the breach notification letter to find out. Visit consult.lil.business for a free cybersecurity assessment — we will identify your gaps before someone else does.

References

  1. The State of Ransomware 2026 — BlackFog
  2. Major Cyber Attacks, Data Breaches & Ransomware in April 2026 — Cyber Management Alliance
  3. Supply Chain Cybersecurity Statistics 2026 — DeepStrike
  4. 2026 Canvas Data Breach — Wikipedia
  5. The Biggest Cybersecurity Breaches of 2026 — ACI Learning

TL;DR

  • Cyberattacks cost businesses over €200 billion every year — that's like losing a whole country's worth of money
  • More than half of businesses think AI won't change anything — but bad guys are already using AI to trick people
  • Your business needs a security plan, not just security software
  • New rules called NIS2 mean business owners are personally responsible for security

What Is This Report About?

Imagine someone broke into your store and stole everything. Now imagine that happening to thousands of businesses, every single day. That's what cyberattacks do.

A new report from Schwarz Digits (a big German tech company) found that cyberattacks now cause 70% of all money problems for businesses [1]. In Germany alone, that's over €200 billion every year — more than many countries make in a year.

This isn't just about big companies. Small businesses get hit too. And when they do, it can shut them down for weeks. They lose customers. They lose money. Sometimes they never reopen.

The Big Mistake Everyone's Making

Here's the scary part: more than half of businesses think AI (artificial intelligence) won't change anything for security [1].

They're wrong.

Think of AI like this: imagine a burglar who could break into 1,000 houses at the same time, instead of just one. That's what AI lets bad guys do in computers.

They use AI to:

  • Write fake emails that look exactly like real ones from your bank or boss
  • Create computer programs that break into systems automatically
  • Figure out your passwords by trying thousands of combinations per second

These aren't genius hackers. They're regular people using AI tools to do things that used to take experts years to learn.

The Good News: AI Protects You Too

The same AI that bad guys use? You can use it to protect yourself.

Think of it like hiring a security guard who never sleeps, can watch 1,000 security cameras at once, and notices when something looks weird — like someone trying a door at 3am.

AI security tools can:

  • Watch your business computers 24/7 for suspicious activity
  • Spot fake emails that look real
  • Lock down your systems automatically if something bad happens
  • Back up your files so you can't lose them

The question isn't whether AI will change security. It already has. The question is: will you use AI to protect yourself before bad guys use it against you?

Related: AI Attacks Now Steal Your Data in 72 Minutes

Why Small Businesses Are in Danger

You might think: "I'm too small to be a target."

Here's why that's wrong:

1. You have old computers and systems Big companies update their security all the time. Small businesses often use old software because it works and they don't want to change. But old software has holes — like leaving your back door unlocked because "it's always been unlocked."

2. You don't have a computer security expert Big companies have teams of people whose whole job is security. Small businesses might have one IT person who's also fixing printers and setting up WiFi. They're too busy to think about security plans.

3. Your employees use tools you don't know about This is called "shadow IT." Someone signs up for a free cloud storage service to share files. Another person downloads a free app for their phone. Nobody told the IT person. Nobody checked if it's safe. Now bad guys have a way in that nobody's watching.

What Is NIS2? (And Why You Should Care)

There's a new law in Europe called NIS2. It stands for "Network and Information Systems."

Here's what it means for you:

Business owners are personally responsible.

Not the IT person. Not the tech company you hired. You. The business owner.

If your business gets hacked and you didn't follow the rules, you can be fined. A lot. And in some cases, you can be personally sued.

The good news: NIS2 isn't as scary as it sounds. It's basically asking you to:

  • Have a security plan (like having a fire safety plan)
  • Know what important data you have and where it is
  • Have backups in case something goes wrong
  • Check your security regularly
  • Make sure your vendors and suppliers are secure too

Think of it like health inspections for restaurants. Annoying? Sometimes. Necessary? Absolutely.

What You Can Do Right Now

You don't need to spend millions. You don't need to be a computer genius. Here's how to start:

1. Make a list of what matters most What data would destroy your business if you lost it? Customer information? Financial records? Product designs? Write it down. That's your "protect at all costs" list.

2. Back it up If you have backups, hackers can't hold your data hostage. Use the 3-2-1 rule: 3 copies, 2 different types of storage (like a hard drive AND the cloud), 1 copy offsite.

3. Use strong passwords (and a password manager) Every account needs a unique password. Use a password manager so you don't have to remember them all. Turn on two-factor authentication (where it sends a code to your phone) everywhere you can.

4. Train your people Your employees are your first line of defense. Teach them to spot fake emails. Tell them to ask if something seems weird. Make it OK to say "I think this might be a scam."

5. Get help if you need it If you don't have a security expert, hire one. Even for a few hours to review your setup and make a plan. It's cheaper than recovering from a hack.

The Most Important Thing

Security isn't a product you buy. It's a habit you build.

Lock your doors. Back up your files. Think before you click. Teach your people to do the same.

Do these things consistently, and you'll be ahead of most businesses — including big ones with huge security budgets.

Need help building a security plan that fits your business and budget? Book a free consultation. We make security simple.consult.lil.business

FAQ

Yes. Hackers use automated tools to attack thousands of small businesses at once. They're not targeting you specifically — they're casting a wide net. Small businesses are actually easier targets because they often have weaker security.

Backups. If you have good backups, ransomware can't hurt you. Use the 3-2-1 rule: 3 copies, 2 types of storage, 1 offsite. Test your backups regularly to make sure they actually work.

It depends on your size and industry, but basic security (passwords, backups, training, antivirus) costs very little. The report shows that cyberattacks cost €200 billion annually — spending a few hundred dollars on security is like buying insurance for your house [1].

It happens. That's why you need: (1) backups so you can recover, (2) antivirus to catch threats, and (3) incident response so you know what to do. Training reduces clicks, but nobody's perfect.

No. AI is a tool, not a replacement. Think of it like a power drill — it makes the work faster, but you still need someone to use it. AI handles the boring stuff so human experts can focus on the important decisions.

References

[1] Schwarz Digits, "The Cyber Security Report 2026 — A rude awakening for SMEs," Schwarz Digits, 2026. [Online]. Available: https://xpert.digital/en/cyber-security-report

[2] National Cyber Security Centre (NCSC), "Small Business Guide," UK Government, 2025.

[3] CISA, "Cybersecurity for Small Business," Cybersecurity & Infrastructure Security Agency, 2025.

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025.

[5] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, 2025.

[6] Google, "Working Securely," Google Workspace, 2025.

[7] Microsoft, "Security Baseline," Microsoft Learn, 2025.

[8] Small Business Administration (SBA), "Cybersecurity Resources," SBA, 2025.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation