RALEIGH — North Carolina’s largest school district was among those around the country alerting parents and staff to a cybersecurity incident involving the Canvas learning management platform.
According to the statement by Wake County Public School System (WCPSS), the breach began April 25 when a criminal threat actor gained access to the platform owned by Instructure Inc.
The most recent update from WCPSS says the district has “temporarily disabled the Canvas icon within the WakeID Portal while we work with our vendors and technology teams to verify system security and restore normal operations.”
A pop-up message on the WCPSS website says users should “not attempt to access Canvas through alternate links or bookmarks until further notice,” and users should “click on any links, download files, or respond to any messages related to the pop-up.”
Updates posted by Instructure say they detected the intruder April 29, immediately revoked access, and on April 30 took additional steps to address the vulnerability. The company has reported no ongoing threat as of May 7.
Instructure’s public status page updates on May 6 described the accessed information as “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
As of May 11, Instructure’s dedicated incident page says the company “reached an agreement with the unauthorized actor involved in this incident,” and that all data was returned.
The update also states, “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
Infrastructure says Canvas has been restored and is “fully back online and available for use.”
Additionally, Infrastructure confirmed that the breach occurred using an exploit of its “Free-For-Teacher accounts, and the company has temporarily shut down those accounts.
In its earlier communications, WCPSS had directed families to Instructure’s status page for more information.
Parents and students who use the Canvas portal can update their passwords and add two-factor authentication to secure their accounts.
The Canvas breach impacted other K-12 districts in the state as well as universities using the system. More than 8,000 institutions worldwide are customers, according to Instructure’s website.
The breach is the second major data-security incident to affect North Carolina public schools in recent years.
In late December 2024, PowerSchool, the previous student information system used by all 115 North Carolina districts, suffered a breach that exposed personally identifiable information such as names, addresses, medical information and Social Security numbers.
PowerSchool notified districts on Dec. 28, 2024, paid an undisclosed ransom and assured customers the data “would not be shared or made public” and “has been deleted without any further replication or dissemination.”
North Carolina officials later confirmed that fewer than 1,000 student Social Security numbers were among the exposed records.
Despite the company’s assurances, in May 2025 threat actors emailed 20 North Carolina school districts, including WCPSS, demanding bitcoin payments to prevent the release of the same data.
North Carolina Department of Public Instruction’s Chief Information Officer Vanessa Wrenn and State Superintendent Mo Green noted that the emails used tactics like those sent to PowerSchool the previous year, adding that PowerSchool’s earlier assurance “at least at this point, is proving to be incorrect.”
Also in May 2025, 19-year-old Matthew D. Lane of Massachusetts pleaded guilty in federal court to charges tied to the original PowerSchool breach, including conspiracy to threaten confidentiality of protected computer information, unauthorized access and aggravated identity theft. Court documents describe him accessing PowerSchool’s network in September 2024 using stolen credentials and later transferring the stolen data.
North Carolina transitioned all districts from PowerSchool to Infinite Campus beginning in the 2025-26 school year.
