Asheville City Schools warns of Canvas cybersecurity incident, possible data theft

Asheville City Schools warned parents and staff on May 8 that a cybersecurity incident involving Canvas may have exposed names, email addresses, student ID numbers and internal messages, creating a fresh phishing risk for Buncombe County families who use the platform for school communication and assignments.

The district said the main danger now is not a shutdown of Asheville City Schools systems, but messages that could look real because they include student information already tied to Canvas accounts. Families were told to be suspicious of any email about account verification or password resets that they did not request, and the district said it never asks for Canvas passwords by email.

Instructure, the company behind Canvas, notified Asheville City Schools on May 5 about the incident after detecting unauthorized activity on April 29. The company said it found no evidence that passwords, Social Security numbers, dates of birth or financial information were compromised. By May 7, Canvas was available again for most users, according to Instructure’s status page.

For parents, the immediate takeaway is practical: a name and student ID number can be enough to make a scam message look credible. That can lead to fake requests for logins, personal details or urgent action through links that appear to come from a school or platform account. Asheville City Schools said its biggest current concern is targeted phishing built around those stolen details.

The district said it was working with the North Carolina Department of Information Technology, the NCLGISA IT Strike Team, the North Carolina Department of Public Instruction and its cyber insurance carrier while it audited internal systems to confirm no unauthorized access occurred through its connection to Canvas. The district has not described the incident as a full compromise of its own network.

North Carolina education officials also warned districts statewide about the Canvas incident, reflecting how widely the platform is used in public schools. Nationally, reports said nearly 9,000 schools worldwide may have been affected and that the hacking group ShinyHunters claimed responsibility.

Instructure said it had contained the incident and recommended stronger defenses, including multi-factor authentication on privileged accounts, review of admin access and rotation of API tokens or keys where applicable. For Asheville families, the immediate task is to ignore unsolicited login prompts, verify any school message through approved channels and change passwords only through official school systems if instructed to do so.