Wake County student, school staff data at risk in nationwide data breach
AI-generated summary reviewed by our newsroom.
- Wake County alerted families and staff that a data breach may have exposed personal data.
- Instructure detected the April 25, 2026 attack on April 29 and revoked access,
- ShinyHunters claimed the Canvas data breach exposed data on over 275 million people.
The Wake County school system is warning families and school employees that it’s been affected by a nationwide data breach that could have exposed personal information.
In a message on Wednesday, the school district said there was a security breach involving Canvas, which is part of North Carolina’s statewide learning management system. Similar alerts are being sent out by school districts across the nation.
“Based on the information we have received, personal data of current staff and students may have been accessed, but there is no indication that passwords, dates of birth, government identifiers, or financial information were involved in the breach,” the alert said. “We will provide further information on what data was accessed as it becomes available.”
This is at least the second data breach affecting North Carolina schools in recent years. In 2025, a hacker got into the PowerSchool student information system that was being used at the time by North Carolina public schools.
Criminal extortion group hacks system
Canvas is an online learning management system where students access assignments and materials, The Charlotte Observer reported. It’s owned by an education technology company called Instructure. It’s widely used by school districts around the country and roughly 41% of colleges and universities in North America.
Over the weekend, Instructure was hacked by ShinyHunters, a criminal extortion group that’s also been linked to data breaches at three Ivy League institutions in late 2025. The group claimed its attack on Instructure affected nearly 9,000 schools worldwide and exposed personal identifying information for over 275 million students, teachers and staff, according to Inside Higher Ed.
Wake and the North Carolina Department of Public Instruction were notified about the data breach Tuesday.
“On April 25, 2026, Instructure experienced a cybersecurity incident perpetrated by a criminal threat actor,” Wake said. “Instructure detected the attacker on April 29 and immediately revoked the access.
“On April 30, as the investigation expanded, they revoked additional suspicious access and addressed underlying system vulnerability. Instructure has found no indicators of an ongoing threat.”
Wake said people can get more information on Instructure’s website at https://status.instructure.com/
This story was originally published May 6, 2026 at 8:18 PM with the headline "Wake County student, school staff data at risk in nationwide data breach."
