The week in cyber — 27 April to 1 May 2026

A learning platform serving thirty million people was breached, cPanel disclosed a zero-day that had been live in the wild for months, and April closed as the worst month for ransomware on record.

Four things from the past working week that a UK board should know about, in the order they would matter if you had to brief a chair over coffee on Monday morning. A shorter list than last week, because the noise-to-signal ratio improved. The signals that remain are worth attending to.

1. Canvas LMS was breached, and the UK is in the affected user population

On 25 April unauthorised actors accessed Instructure's Canvas learning management system. The intrusion went undetected for four days; Instructure confirmed it on 29 April, contained it shortly afterwards, and disclosed publicly on 1 May. ShinyHunters subsequently claimed the attack. Names, email addresses, identifier numbers, and message contents are reported stolen. Canvas serves roughly thirty million active users across more than eight thousand institutions, including UK schools, universities, and corporate learning departments.

The four-day dwell-to-detection window is the part that should bother people. By the time Instructure noticed, the data was out.

For boards. If your firm uses Canvas for learning and development — many do, often via a procurement decision the board never saw — you have a third-party data breach disclosure obligation to consider. The right question is which of our SaaS providers serve us with personal data we are accountable for, and how would we know if any of them had a four-day silent compromise tomorrow?

2. cPanel disclosed a zero-day that had been exploited for months

On 30 April cPanel disclosed CVE-2026-41940, a critical vulnerability affecting all cPanel and WHM versions after v11.40. Successful exploitation grants the attacker complete control of the cPanel host, its configurations and databases, and every website it manages. The vulnerability had been actively exploited in the wild for months before the patch became available.

This is the failure mode that traditional patch-window assurance does not catch. By the time a patch was published, the attackers had already been using it.

For boards. “Our average time to patch critical CVEs is under seven days” is the wrong metric in isolation. The right metric pairs it with “we know within hours when a critical CVE relevant to our estate is disclosed”. The cPanel case shows why: a zero-day is only a known issue once it is disclosed; the exploitation predates the disclosure. The control that matters is detection of behaviour, not detection of known signatures.

3. UK automotive data analytics provider Autovista hit by ransomware

Autovista, a UK-based data analytics provider serving the automotive sector across Europe and Australia, confirmed a ransomware attack this week. The firm provides vehicle valuation and market intelligence services to insurers, fleet operators, and resellers. Reported impact includes systems-level disruption and data theft.

It is not a household name. It is the kind of supplier that sits two steps back from the customer-facing brand, providing data that informs underwriting and pricing. Those are exactly the firms whose outages produce knock-on effects in regulated sectors without making headlines.

For boards. Insurance and financial-services boards should ask whether any of the data feeds underpinning their pricing or claims models are dependent on Autovista or its peers, and what the contingency looks like if one such feed goes dark for a week. This is the unglamorous side of third-party concentration risk.

4. April closed as the worst month for ransomware on record

Global disclosures totalled 105 publicly reported ransomware incidents in April — the highest April since tracking began. The UK ranked third by volume with 30 confirmed attacks, behind the US and Canada. Healthcare was the only sector where attacks increased month-on-month, rising nearly 10% from March.

The number itself matters less than the slope. Three consecutive months of growth, with healthcare and shared service providers carrying the weight of the impact, points to a market for ransomware that is still expanding rather than maturing.

For boards. This is the month to ask the executive whether the firm's ransomware playbook has been exercised under realistic conditions in the past twelve months. Yes, we have a playbook is the wrong answer. Yes, the audit committee chair was in the room when we last ran it is the right one.

The thread that ties this together

Three of these four stories are about discovery latency — Canvas detected the breach four days late, cPanel disclosed months late, Autovista becomes a story only when its customers feel the absence. The pattern is the same: by the time you know, it has already mattered.

The question worth taking into next week: what would we currently be the last to find out about, and what would change that?