Canvas / Instructure Data Breach: What North Carolina Schools, Parents, and IT Leaders Should Do Right Now

Posted: May 9, 2026 to Cybersecurity.

On April 25, 2026, an unauthorized actor accessed Canvas, the learning management system that every public K-12 school in North Carolina has used since 2015 and that powers online classrooms for roughly 41 percent of colleges and universities across North America. Two weeks later, on May 8, students and teachers in Wake County, Charlotte-Mecklenburg, Pitt County, Orange County, Durham, and a long list of other North Carolina districts logged in to find a ransom note from a hacker group calling itself ShinyHunters. The note gave Canvas owner Instructure until May 12 to pay or watch the data go public. CBS 17, WRAL, ABC11, WCNC, and WITN all reported on the incident and the cascading effect on North Carolina schools.

I was interviewed by CBS 17 about why criminals are increasingly targeting school districts and what families and IT leaders should do. The full story below covers the verified timeline, every North Carolina district named in public reporting so far, what was and was not exposed, why ShinyHunters chose Canvas, and the concrete moves parents, students, teachers, and district IT teams should make this week. None of this is hypothetical. The breach is live, the ransom clock is real, and the long tail of phishing and identity theft from a leak this size will run for years.

The Verified Timeline

The dates below come from Instructure's own statements to North Carolina districts, the NC Department of Public Instruction (NCDPI), and direct district communications to families. They tell a different story than the early "contained on April 30" framing.

• April 25, 2026. Initial unauthorized access. Instructure later described this as a criminal threat actor accessing customer data through the company's "Free-For-Teacher" account environment.
• April 29, 2026. Instructure detects the intrusion and revokes the attacker's access.
• April 30, 2026. Instructure says it expanded the investigation, revoked additional suspicious access, and addressed an underlying system vulnerability. Public statement at the time: no ongoing threat identified.
• Tuesday, May 5, 2026. Instructure formally notifies NCDPI, Wake County Public School System, and a long list of other North Carolina districts that they were impacted.
• Wednesday, May 6, 2026. Wake, Charlotte-Mecklenburg, and other districts notify parents.
• Thursday, May 7, 2026. A second compromise event hits. ShinyHunters delivers an in-app pop-up ransom message visible to logged-in Canvas users at multiple districts, claiming Instructure ignored their first contact and the May 1 "containment" never actually closed the attacker's foothold.
• Thursday-Friday, May 7-8, 2026. Wake County, Pitt County, Carteret County, and other districts cut off Canvas access while the situation is reassessed. NCDPI determines that students and staff cannot access Canvas through NCEdCloud.
• Friday, May 8, 2026. Canvas is restored at East Carolina University and many K-12 systems begin a phased return. Instructure tells reporters Canvas is "fully back online and available for use" and that the issue was connected to its Free-For-Teacher account environment.
• Monday, May 12, 2026. ShinyHunters' stated deadline to negotiate or have stolen data published.

That timeline matters because the window between April 25 access and May 5 district notification is ten days. In incident-response work that gap is where most damage happens. Phishing campaigns built on freshly exposed user lists hit inboxes long before the official disclosure email lands.

North Carolina Districts and Universities Named in Public Reporting

The list keeps expanding as Instructure works through its customer base. As of this writing, the following North Carolina school districts and post-secondary institutions have been publicly identified by their own statements or by reputable local news outlets as impacted by the Canvas breach:

• K-12 districts: Wake County Public School System, Charlotte-Mecklenburg Schools, Cabarrus County Schools, Catawba County Schools, Kannapolis City Schools, Union County Public Schools, Randolph County Schools, Davie County Schools, Guilford County Schools, Pitt County Schools, Carteret County Schools, Orange County Schools, Winston-Salem/Forsyth County Schools, Hertford County Schools, Madison County Schools, and the NC School of Science and Math.
• Universities and colleges: East Carolina University, Duke University, the University of North Carolina at Chapel Hill. ABC11 reported reaching out to NC Central, NC State, Durham Public Schools, Chapel Hill-Carrboro City Schools, and Cumberland County Schools to confirm potential impact.

NCDPI has stated it does not yet have confirmation on the full list of districts and charter schools affected. Instructure is contacting impacted customers directly. If your child's district has not yet sent a notice, that does not mean the district is unaffected. It means the district has not yet been told. The same was true for Wake County until May 5.

What Was Exposed and What Was Not

Based on Instructure's statements to districts and to reporters, the personal data accessed during the breach included:

• Student and staff names
• Email addresses
• Student IDs
• Basic directory-style information
• User communications inside Canvas (per Instructure's notice and per cybersecurity strategist Kimberly Simon, interviewed by WRAL)

Instructure has stated that the breach did not involve passwords, dates of birth, government identifiers (Social Security numbers), or financial data. That distinction matters legally and operationally, but it does not mean families can relax. Names plus email addresses plus student IDs is the exact ingredient list for highly convincing spear-phishing campaigns aimed at students, parents, and teachers. Adversaries can craft an email that references the right school, the right grade level, and a real student name with details a generic phishing email would never carry.

If user communications were also exposed (Instructure's wording leaves this open), the risk profile widens. Canvas conversations between teachers and students can include grade discussions, behavioral concerns, family contact details, and references to real-world events that a sophisticated adversary can use to build pretexts.

ShinyHunters and the May 12 Deadline

ShinyHunters is not a new name to the threat-intelligence community. Mandiant's chief technology officer Charles Carmakal told Krebs on Security that there are "multiple concurrent and discreet ShinyHunters intrusion and extortion campaigns happening right now." The Canvas event is part of a pattern.

The ransom note delivered through Canvas's own pop-up surface read in part: "ShinyHunters has breached Instructure (again). Instead of contacting us, to resolve it, they ignored us and did some 'security patches.'" The group instructed affected schools and universities to negotiate their own settlements directly, regardless of whether Instructure decides to pay. The deadline is end of day May 12, 2026.

Whether Instructure pays, whether individual districts pay, or whether everyone refuses, the data the attackers already have does not become un-stolen. This is the uncomfortable truth that the PowerSchool incident in December 2024 demonstrated. PowerSchool reportedly paid a ransom, watched the hacker delete the data on a video call, and yet cybersecurity analysts told local news that more state schools could still face extortion attempts in the wake of the attack. Once data is in adversary hands, paying the ransom only buys a promise.

Why Hackers Are Targeting Schools

CBS 17 asked me on May 8 why criminals keep going after school districts. My answer to them, on the record: "With the current threat landscape, hackers are going up the food chain and going after bigger fish. It's really putting a lot of pressure on these bigger companies to have more security testing and keep their systems more secure."

The economics are simple. A single edtech vendor sits between hundreds of districts and millions of student records. Compromise the vendor and you exfiltrate the entire ecosystem in one operation. PowerSchool was that vector in December 2024, affecting roughly 62 million people. The University of Pennsylvania incident in September 2025 was reported as a Penn-specific breach by most national press but, as one researcher put it to Krebs on Security, the September 2025 Penn breach now looks like a proof of concept for the May 2026 production run on Instructure's broader environment.

The other half of the answer is that student data is uniquely valuable for long-tail fraud. As I told CBS 17, "students probably have a lot of personally identifiable information, such as usernames, passwords. Hackers probably realize that statistically, people are using the same combination of username passwords for other things. If they can breach the individual who doesn't take security at a higher level as they should, then they can do identity theft and other things to those people." A thirteen-year-old who reused a school email password on a gaming forum, a streaming account, or a part-time job application has now handed an adversary multiple paths into their digital life. Years from now, when that student opens a credit card or files a first tax return, the same identity may already be quietly compromised.

This Is Bigger Than Canvas

The Canvas event is the third major K-12 supply-chain incident in eighteen months. PowerSchool in December 2024. Multiple downstream breaches at universities and K-12 districts in 2025. Penn in September 2025. Canvas / Instructure in April-May 2026. The pattern is a single edtech vendor compromised and the blast radius covering districts and universities the vendor serves.

The strategic question for every school superintendent, university CIO, and district board is no longer whether the next breach happens. It is whether the district has the controls in place to detect a vendor compromise quickly, contain its own data exposure, communicate honestly with families, and recover without paying tribute to a foreign criminal group. Most North Carolina districts are not where they need to be on those four capabilities.

What Parents Should Do This Week

Practical steps for any family with a student in a North Carolina K-12 school or a North Carolina university:

• Assume your child's name, school email, and student ID are now in adversary hands. Treat every email that references the school, the district, the student's grade, or a teacher's name with suspicion for the next twelve months. Phishing built on this data is what to expect.
• Reset any password that was ever reused with a school account. If your child uses the same password on Canvas as on Roblox, Discord, Snapchat, gaming forums, a streaming account, or an email address, change those other passwords immediately. Use a password manager rather than relying on memory.
• Turn on multi-factor authentication everywhere it is offered. Email, school portals, gaming accounts, social media. Authenticator apps are stronger than SMS codes.
• Talk to your child about the threat. Tell them that strangers may now know their name, school, and grade. Tell them to never click links in unexpected emails or DMs and to bring anything suspicious to a parent.
• Do not respond to any pop-up or email referencing ShinyHunters or the breach. The attackers want victims to engage. Engagement creates new attack surface and confirms a live target.
• Place a fraud alert on your child's credit file. Children should not have credit activity. A fraud alert at the three major credit bureaus surfaces any future attempt to open accounts in the child's name. This is free and worth the fifteen minutes.
• If your child is high-school age and using their school email for anything outside school, move those accounts to a personal email immediately.

Our 2026 Security Awareness Training course is built for adult employees but the modules on phishing recognition, credential hygiene, and social engineering apply just as directly to a teenager. Several school districts have already enrolled their faculty and staff in it. Parents who want to walk through it with a teen at home are welcome to enroll a single seat.

What District IT Teams Should Do This Week

If you sit in IT or technology leadership for a North Carolina school district, charter school, or post-secondary institution that uses Canvas, the following moves are urgent and most are free.

• Force-rotate Canvas API tokens, integration keys, and OAuth credentials. Instructure has explicitly recommended this. Anyone holding a stale Canvas API token after this week is operating on an unaudited foundation.
• Audit administrator and instructor accounts on Canvas. Disable any account that no longer corresponds to an active employee. Confirm MFA is enforced on every privileged account.
• Pull a full export of Canvas user data and integration permissions, then snapshot it. If something downstream goes wrong, you want a frozen reference of what the system looked like the day after the breach was disclosed.
• Send a phishing-warning notice to every parent and staff member. The attackers now have a fresh roster. Expect targeted spear-phishing aimed at parents impersonating teachers, the principal, the IT helpdesk, or even a fellow parent. The notice is not a panic message. It is a calibration message: here is what to expect, here is what to do, here is who to call if it happens.
• Review every other edtech and SaaS integration the district owns. The Canvas event is a vendor-supply-chain compromise. The same threat actor or one of its peers will target the district's grade book, school information system, library system, transportation app, lunch app, and parent portal next. Inventory those vendors. Confirm each one's incident-response contact and SLA.
• Tabletop the next vendor breach now, before it happens. Most districts have not run an incident-response tabletop in the last twelve months. Pick a Friday morning, gather IT, communications, legal, and a couple of board members, and walk through "the next vendor calls us at 3pm on a Tuesday and tells us our parent contact list is in the hands of a foreign criminal group." Identify the gaps before adversaries do.
• Verify your cyber insurance covers vendor breach incidents and that the carrier has been notified of this event. Carriers are increasingly drawing distinctions between first-party and supply-chain incidents. Read the policy.

If your district does not have the in-house capacity to do all of this in the next two weeks, that is the most common situation in North Carolina K-12 IT, and it is fixable. Petronella Technology Group's managed IT and security services were built for exactly this scenario. We work with districts and small post-secondary institutions on credentialed audits, phishing-resistant MFA rollouts, vendor risk reviews, tabletop facilitation, and 24/7 monitored detection and response. Our virtual CISO offering gives a district fractional senior security leadership at a fraction of a full-time hire's cost, with the experience to build the next-twelve-months program.

The Quiet Lesson: Vendor Risk Is the Real Surface

For more than a decade school cybersecurity conversations have focused on the wrong perimeter. The student device. The teacher laptop. The classroom router. Those still matter. But every breach of consequence in K-12 over the last three years has come through a SaaS vendor, not through a compromised classroom device. PowerSchool was a vendor breach. Illuminate was a vendor breach. Finalsite was a vendor breach. Canvas / Instructure is a vendor breach.

The implication is that every district's real attack surface is the list of edtech vendors it has signed contracts with. Each vendor that holds student data is a multiplier on risk. Districts cannot eliminate the vendors; the curriculum is built around them. What districts can do is treat vendor risk management as a first-class discipline, with a written inventory, a defined contact at each vendor, a documented data-flow diagram, an annual security review, and a clause in every contract that requires breach notification within seventy-two hours rather than the current "as soon as practicable" weasel language.

A surprising amount of this work falls under existing law. The Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and several North Carolina state-level statutes already create obligations around vendor handling of student data. Districts that took those obligations seriously before the Canvas event are in materially better shape this week than districts that treated FERPA compliance as a paperwork exercise.

How AI Changes This Threat (And Our Defense)

The phishing emails that will land in parent and student inboxes over the next twelve months will not be the broken-English low-effort scams of the early 2010s. They will be grammatically perfect, personalized, and in many cases generated and refined by large language models in seconds. The attacker simply feeds the breached student roster into a model and produces tens of thousands of unique, plausible messages.

The defensive answer involves AI on the same side as defenders. Petronella Technology Group runs private AI infrastructure in our own datacenter that powers behavioral email filtering, anomaly detection on identity events, and real-time analysis of inbound communications for districts and businesses we serve. The same AI that lets adversaries scale phishing also lets defenders scale detection, but only if the defender has the infrastructure in place. Read more on our AI services page or the cybersecurity practice overview.

Frequently Asked Questions

My child's school has not contacted me. Are we affected?

Possibly. Instructure is notifying districts in waves as it confirms the customer-by-customer data scope. If your child's district uses Canvas, assume the answer is "we do not yet know" and act as though you are affected: rotate reused passwords, enable MFA, and watch for phishing. NCDPI itself has said it does not yet have a complete list of impacted districts and charter schools.

Did the attackers get my child's Social Security number or birthdate?

According to Instructure's statements to NCDPI and to school districts, the breach did not include passwords, dates of birth, government identifiers, or financial information. That is the company's current position. If new disclosures change that, North Carolina law and federal regulations will require formal individual notice. For now, treat the exposed data as names, school email addresses, student IDs, and possibly user communications.

Should we just stop using Canvas?

That decision is up to each district and each university. Canvas is North Carolina's statewide K-12 learning management system per a 2015 NCDPI agreement, and replacing it mid-school-year is not realistic for most districts. The right response is not to abandon the platform but to harden its administrative surface (MFA, token rotation, access audit), to stop reusing the platform's email addresses outside the platform, and to demand from Instructure a clear post-incident technical accounting and improved breach-notification SLAs going forward.

Should our district pay the ShinyHunters ransom?

That is not a decision a district should make alone. Engage cyber-insurance counsel, the FBI field office (Charlotte or Raleigh), the North Carolina Department of Information Technology, and outside breach counsel before any communication with an extortion group. The PowerSchool experience in 2024 showed that paying does not guarantee deletion. Federal sanctions guidance also creates real legal risk if the threat group is on a sanctioned list at the time of payment.

Will my child's grades or coursework be lost?

No. Coursework, assignments, and grade data inside Canvas were not destroyed by the attacker. The attacker accessed and copied data; they did not encrypt or delete it. East Carolina University and most K-12 districts have already restored normal Canvas access since May 8.

What if my child sees the ShinyHunters pop-up?

Tell your child to close the browser tab, take a screenshot if comfortable doing so for documentation, do not click any link or download anything from the message, and report it to a teacher or the district IT helpdesk. The pop-up is designed to drive engagement. Do not engage.

Is Petronella Technology Group available to help our district?

Yes. Call 919-348-4912 or our compliance concierge Penny at 919-335-7902. We work with K-12 districts, charter schools, community colleges, and small private universities across North Carolina on managed security, vendor risk reviews, tabletop exercises, virtual CISO engagements, and emergency incident-response retainers. The first conversation is free and we do not require any commitment to schedule it.

What about HIPAA, FERPA, and state breach-notification obligations?

FERPA is the federal statute that governs education records privacy and has notification expectations for unauthorized disclosure. North Carolina General Statute § 75-65 requires written notice of a security breach to affected residents "without unreasonable delay" and notification to the NC Attorney General when more than 1,000 residents are affected. Districts and post-secondary institutions should be coordinating with their general counsel on these timelines now. Healthcare-facing parts of districts (school nurses, athletic trainers' records) may also have HIPAA obligations on top of FERPA, depending on what data flows into the LMS.

Bottom Line

The Canvas / Instructure breach is the most consequential K-12 cybersecurity event in North Carolina since the PowerSchool incident eighteen months ago. The exposure is broad, the threat actor is sophisticated and active, and the cleanup will run for months. Families should assume their student information is in adversary hands, rotate any reused passwords, turn on MFA, and stay alert to phishing for the next year. Districts should rotate API tokens, audit administrative access, send a clear phishing-warning notice to families, and use this event as the trigger for a real vendor risk management program.

Petronella Technology Group has been advising North Carolina schools, businesses, and government agencies on cybersecurity for more than two decades. Our team holds CMMC Registered Practitioner credentials across the practice. We deliver against FERPA, HIPAA, FTC Safeguards, IRS Pub 4557, GLBA, CMMC, and the new state privacy regimes simultaneously, and we run our own private AI infrastructure to keep client data on hardware we control. If your district, your business, or your family wants help thinking through what to do next, reach out.

Talk to us: Call our cybersecurity team at 919-348-4912 or our compliance concierge Penny at 919-335-7902. Explore our cybersecurity services or browse the training catalog. For broader context on how Petronella Technology Group leads with AI and builds security in, visit our AI hub.

Sources: CBS 17 (May 8, 2026); WRAL News (May 7-8, 2026); ABC11 / WTVD (May 7, 2026); WCNC Charlotte; WXII 12 News; WFMY News 2; WITN Greenville; Krebs on Security (May 2026); Pitt County Schools breach notification; Orange County Schools NCDPI cybersecurity update; NCDPI public statements. The author, Craig Petronella, was interviewed on the Canvas / Instructure breach by CBS 17 and is quoted herein. Author credential: CMMC Registered Practitioner. Last updated 2026-05-09.