Compliance News | May 2026

This month's key compliance news includes the Adanis' bribery case, the Southport data breach by NHS workers, Shakira's tax refund, and more.

Our pick of compliance stories this month

• Canvas owner pays hackers after university cyberattack
• Adanis agree to pay $18m in bribery case
• NHS workers accessed Southport records 'inappropriately'
• US banks increase spending on CEO security
• Rise in banned cotton entering supply chains, finds report
• FCA fines and bans director for misconduct in pension advice
• Shakira to receive €55m tax refund after errors

Canvas owner pays hackers after university cyberattack

The company behind the widely used Canvas learning platform has admitted reaching an agreement with hackers after a cyberattack disrupted thousands of universities and colleges across the UK, US, Canada and Australia.

The attack caused major outages during exam season, leaving many students unable to access revision materials or complete online assessments. Hackers claimed to have stolen 3.5 terabytes of student and university data and threatened to publish it unless a ransom was paid.

Instructure, the company that owns Canvas, said the agreement resulted in the return of the stolen data, “digital confirmation” that it had been destroyed, and assurances that students and universities would not face further extortion. Although the company did not directly confirm a ransom payment, cybercriminal groups such as Shiny Hunters typically demand bitcoin payments in exchange for deleting stolen files.

Security experts warn that paying hackers is risky because there is no guarantee stolen data is truly erased. Law enforcement agencies generally advise organisations not to pay ransoms, arguing that it encourages further attacks.

The breach became highly visible when ransom messages suddenly appeared on student screens during exams. Despite criticism over negotiating with cybercriminals, Instructure said its priority was protecting student and staff data and reducing further harm to affected institutions.

Adanis agree to pay $18m in bribery case

The head of Adani Group, Gautam Adani, and his nephew Sagar Adani have agreed to pay a total of $18 million to settle a lawsuit brought by the US Securities and Exchange Commission (SEC).

In 2024, the regulator accused the Adanis of paying over $250 million in bribes to Indian officials in order to secure high-value renewable energy contracts. Six other executives were also charged with the Adanis.

Gautam Adani will pay $6m and his nephew will pay $12m to settle the charges.

The same lawsuit by the SEC also claimed that the pair misled investors about their anti-bribery practices while seeking to raise funds through a bond offering. The firm brought in around $750 million from investors, including $125 million from US investors.

The Adani Group, one of India's biggest conglomerates with interests in transport and energy, insists that the allegations are "baseless". According to media reports, the criminal fraud charges against Gautam Adani are likely to be dropped.

Key takeaways:

• Follow your company's Gifts and Hospitality policy - make sure you know what is and is not acceptable, including the limits and thresholds

• Remember, many anti-bribery laws (including the UK Bribery Act) have extra-territorial reach - meaning you can be prosecuted for bribes paid anywhere in the world
• Have proper oversight of third parties and intermediaries - you can be found guilty of bribes paid by consultants and intermediaries, even without your knowledge
• Take extra care in all dealings with foreign public officials – including state-owned entities
• Declare any gifts and hospitality you receive – in line with your company's policy and rules
• Talk to Compliance or Legal – if you feel there are legitimate reasons to accept or offer anything outside your company's limits or thresholds.

NHS workers accessed Southport records 'inappropriately'

A hospital trust has confirmed that 48 staff accessed the medical records of victims of the Southport knife attack inappropriately.

The data breach took place at Aintree Hospital in Liverpool, where injured people were treated following the attack at a Taylor Swift-themed dance class in July 2024.

Three patients were affected by the breach, including class teacher Leanne Lucas.

Lucas, who was stabbed five times in the attack and sustained multiple injuries, said, "I am absolutely devastated and horrified that my privacy has been invaded when I was at my most vulnerable. Nothing will take away my gratitude to the staff who saved my life, but 48 people not involved in my care abused their position of trust to access the files of victims who have suffered unspeakable trauma."

The breach was discovered following a standard audit that was conducted days after the attack.

The NHS University Hospitals of Liverpool Group (UHLG) described the breach as "inexcusable" and said that changes had been made as a result.

The chief executive of UHLG, James Sumner, said the trust was "sincerely sorry for any distress that may have been caused to the patients". He added that staff had faced disciplinary action ranging from "informal counselling to a final written warning" but none were dismissed.

Lucas said, "The decision to keep this from me for almost two years is a new low. I am speaking out as I want this scandal and the attempted cover up by senior management exposed for what it is."

She also criticised the Information Commissioner's Office (ICO), stating that it had knowledge about the breach since August 2024 and that she was only told about the breach because a journalist had been in touch.

Sumner said that "relevant regulators and professional bodies" were contacted.

In a statement, UHLG said:

"Breaches of patient confidentiality are inexcusable and undermine the hard work of those teams who sought to provide the highest standard of care to these patients after they experienced such traumatic and life-changing events. Staff who were found to access patient records were subject to HR disciplinary processes."

"When we concluded our investigation into the incident, we consulted the clinical team who had managed the patients' care and made a decision not to inform the patients involved, taking into consideration the potential psychological impact it may have upon them at the time."

The ICO said a criminal investigation is not planned "at this time" but added:

"We continue to remind all healthcare organisations about the importance of keeping patient data secure."

Key takeaways:

• Train your team - so they recognise personal data and take appropriate precautions when processing it
• Take extra care when handling special category data and other sensitive personal information - including information on health, racial and ethnic origin, genetic and biometric data, religious beliefs, political opinions, sex life and sexual orientation, as well as criminal offence data
• Only access personal information if you have a valid 'need to know' - this is vital to maintain confidentiality, your reputation and public trust
• Arrange adequate monitoring and oversight - including audits, to monitor compliance and detect unauthorised access, use or downloads
• If you have concerns or think there has been a data breach, tell your company right away - we are required to notify the ICO within 72 hours and the individuals affected "without undue delay" where there is a risk to their rights and freedoms
• Remember, public authorities can face reprimands, enforcement notices and fines if they get it wrong.

US banks increase spending on CEO security

US banks are increasing their spending on security for CEOs to keep them safe, according to filings by Goldman Sachs, JPMorgan and Wells Fargo.

The rise follows the murder of Brian Thompson, UnitedHealthcare's CEO in Manhattan in December 2024. In July 2025, a gunman also killed four people in Park Avenue, the headquarters of Blackstone.

Speaking to The Banker, Glen Kucera, the president at Allied Universal Enhanced Protection Services which also owns G4S, said:

"Violence towards company leaders is on the rise. Societal polarisation and economic instability are contributing to more unpredictable — and even indiscriminate — violence. Executives are facing more exposure than ever before and security programmes have had to evolve to keep up."

Wells Fargo increases its spending by 700%, spending $555,000 on security last year.

Statements filed with the Securities and Exchange Commission also show that Goldman Sachs spent around $165k on security for its senior leaders.

In a proxy statement, the bank said:

"We do not consider these security measures to be personal benefits but rather business-related necessities due to the high-profile standing of these executives and the firm's evaluation of the threat environment related to them."

In the 2026 World Security Report:

• 42% of security chiefs said the threat of violence towards executives had increased
• 75% of companies were targeted by a misinformation campaign
• Key executives contribute around 30% or more of a company's value
• 97% of global institutional investors think that providing physical protection for executives is important

"Many boards have a genuine reason to be concerned and are responding to a quantifiable increase in risk — not just reacting to fear or a one-off event."

Rise in banned cotton entering supply chains, finds report

The amount of banned cotton in garments detected in clothing in the West has risen for the first time in four years, according to a report by Oritain, a forensic origin-verification company.

Oritain believes that the rise in illegal materials in apparel supply chains may be due to the shift in manufacturing by companies as they try to reduce the impact of US tariffs.

"When you need to move quickly, you may not be able to do the diligence that you really would have wanted to. That opens the door to risk."

As part of its report, Oritain sampled 1,000 finished garments including T-shirts, jackets and baseball caps from 40 brands sold across the US, Canada, Europe, Australia and New Zealand. Oritain is not disclosing the names of the brands and they did not know their items were being tested. It looked for materials from regions such as the Xinjiang area of China, Turkmenistan and Uzbekistan that are banned by law or customers' sourcing policies.

• 13% of garments contained raw materials sourced from prohibited regions
• 90% of the 40 samples brands used materials from the regions in at least one garment

"The more you look into your supply chain, the more surprises you're going to find. This is everywhere. If we talk about it honestly and openly, we've got a better chance of dealing with it."

Governments in the US and Europe are cracking down on materials produced using forced labour or that contribute to deforestation, with the new European Union Deforestation Regulation expected later this year. Companies may face fines and reputational damage for any violations.

Oritain uses forensic science techniques to establish the geographic origin of cotton, leather and timber, among other things. Its customers include Lacoste, Patagonia and Carhartt.

FCA fines and bans director for misconduct in pension advice

The UK regulator, the FCA, has fined Frank Breuer £755,000 and banned him from working in financial services for "repeatedly acting without integrity and putting customers at risk for personal financial gain".

Mr Breuer was the co-owner and director of Bluesky Wealth Management, which provided pensions and investment advice. The company was authorised to advise on defined benefits (DB) pension transfers. However, from April 2019 onwards, it failed to maintain the required professional insurance.

This meant customers might not get compensation if something went wrong.

Despite this, Mr Breuer conducted at least 16 DB pension transfers without the proper insurance. He also repeatedly misled the FCA about the company's insurance position.

Mr Breuer agreed to restrictions imposed by the FCA to protect customers and their assets in October 2019. However, he ignored those restrictions, paying himself substantial dividends in loans and moving money into different accounts.

The FCA had concerns about the suitability of Bluesky's advice by September 2020, and, from June 2022, the Financial Ombudsman Service upheld several complaints against Bluesky on the DB advice that Mr Breuer had given. Bluesky was subsequently placed into insolvency, leaving customer liabilities of aro und £215k to be met by the Financial Services Compensation Scheme.

"Mr Breuer sought to evade paying compensation due to customers as a result of his own bad pension advice and feathered his own nest in the process, stripping substantial assets from his firm. He repeatedly misled the FCA and flouted FCA restrictions. He's not fit to work in financial services."

Shakira to receive €55m tax refund after errors

Shakira is expected to receive a €55 million payment. A court in Madrid ruled that Spain's tax authorities were wrong to impose fines on the Colombian singer and it had made mistakes regarding her tax status.

Shakira was fined five years ago after the Agencia Tributaria said that she had not paid the relevant taxes in Spain in 2011. It was described at the time as a "very serious infringement" and Shakira paid €24m in income tax and €25m in fines.

The Audiencia Nacional has upheld her appeal and acquitted the singer of tax fraud, ordering the tax authorities to repay the money, with interest and costs.

The court said that the tax authorities had failed to prove that Shakira had spent more than 183 days in Spain that year, requiring her to pay personal income tax in the country.

In a statement, it said:

"On the contrary, the court understands that Shakira's stay in our country was 163 days and that the tax agency has therefore not proved that the singer had core economic interests in Spain … as set out in the terms established [by law]."

The judgement relates to the 2011 tax case. In 2023, the singer agreed a deal to settle a separate tax fraud case covering 2012-2014.

In a statement, Shakira said:

"After more than eight years of enduring a brutal public shaming, orchestrated campaigns to destroy my reputation, and countless sleepless nights that ended up affecting my health and the wellbeing of my family, the Audiencia Nacional has finally set things right."

The tax agency plans to appeal.

Looking for more compliance insights?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you’re looking for focused training, our training packages offer a complete solution for your compliance programme.