Wake County schools warn families of Canvas cyberattack, data may be exposed

Names, email addresses, student ID numbers and messages among users may have been exposed in a cyberattack on Canvas, the online learning platform Wake County students and staff use for assignments, announcements, calendars and parent communication. Wake County Public School System said current student and staff data may have been accessed, although it said there was no indication that passwords, birth dates, government identifiers or financial information were involved.

The timing of the warning is likely to unsettle families across Wake County. The district said it was notified on May 5, 11 days after the April 25 incident, and sent notice to parents on May 6. That gap matters in a county system serving 161,115 students, 20,376 employees, 10,974 teachers and 203 schools, because even a limited breach touches a school community larger than many North Carolina towns.

Canvas sits inside everyday school life, not just a back-office database. North Carolina Department of Public Instruction describes it as a learning management system integrated with NCEdCloud, and districts can obtain it through a state-negotiated convenience contract. In Wake, that makes the platform a central channel for classwork and communication, so any security incident instantly becomes a family issue as well as an IT problem.

Instructure Inc., the company behind Canvas, said on May 1 that it was investigating a criminal cybersecurity incident. On May 2, it said the incident appeared to have been contained. By May 6, Instructure said Canvas was fully operational and there was no ongoing unauthorized activity. The company said the information involved appeared to include names, email addresses, student ID numbers and messages among users.

Instructure said it revoked privileged credentials and access tokens, patched systems, rotated certain keys and increased monitoring. It also recommended that customers enforce multi-factor authentication on privileged accounts, review administrator access and rotate API tokens or keys where needed. For Wake families, the most immediate steps are straightforward: change passwords for school-related accounts, use unique passwords for each service, turn on multi-factor authentication wherever it is available, and watch closely for suspicious messages that could try to use stolen school information.

The incident also lands in a district still coping with memories of the earlier PowerSchool breach, making this the second notable school-technology security problem in two years. That history raises a broader question for Wake County and for districts across North Carolina that rely on the same learning systems: whether schools are getting faster notice, stronger vendor safeguards and clearer disclosure when the tools families depend on every day are compromised.