Key Takeaways
- Wake County Public Schools restored Canvas access on Monday after confirming no remaining risk with state officials; staff and students must reboot WakeID‑issued devices.
- Chapel Hill‑Carrboro City Schools also resumed Canvas use around 4 p.m. Monday following a third‑party cybersecurity assessment by CrowdStrike.
- Durham Public Schools has not yet restored Canvas access, while Cumberland County’s status remains pending inquiry.
- The Canvas outage originated from a cyber‑security incident affecting Instructure’s free‑for‑teacher version; the service was briefly taken down May 7 and restored May 8 for paid customers only.
- Two separate breaches (April 29 and May 7) exposed student names, email addresses, ID numbers, and some platform messages; no highly sensitive data such as Social Security numbers were reportedly compromised.
- Hackers employed a “pay or leak” extortion tactic, threatening to release data unless a ransom was paid; cybersecurity experts warn that paying does not guarantee data safety and is illegal for North Carolina public entities.
- The attackers claimed affiliation with the notorious ShinyHunters group, though investigators suggest they may be imitators seeking notoriety rather than actual members of that collective.
- Authorities advise vigilance against phishing and extortion attempts, emphasizing that stolen contact information can be used for further social‑engineering attacks even if the initial data appears low‑risk.
Wake County Restores Canvas Access After State Briefing
On Monday, the Wake County Public School System announced that Canvas had been made available again for students and staff. A notice on the district’s website instructed users to reboot their WakeID‑issued devices before attempting to log in. The restoration followed a morning briefing with officials from the North Carolina Department of Public Instruction, which assured Wake County leaders that no residual threat remained. Wake County is a paid subscriber to Instructure’s Canvas service and did not utilize the free‑for‑teacher accounts that were implicated in the breach.
Chapel Hill‑Carrboro Resumes Use After CrowdStrike Review
Chapel Hill‑Carrboro City Schools also reported a return to normal Canvas operations around 4 p.m. Monday. The district’s release noted that the North Carolina Department of Public Instruction had reinstated Canvas‑related services to normal levels after an interim assessment conducted by the cybersecurity firm CrowdStrike. The evaluation concluded that the platform could be safely used again, prompting the district to notify families and staff of the resumption.
Durham and Cumberland Counties Lag Behind
In contrast, a spokesperson for Durham Public Schools confirmed that the district had not yet restored Canvas access for its students or staff as of Monday. The district did not provide a timeline for when service might be reinstated. WRAL News reached out to Cumberland County Schools to ascertain its status, but no response had been received at the time of writing, leaving the situation uncertain for those communities.
Nationwide Outage Traced to Free‑for‑Teacher Vulnerability
The Canvas disruption began last week when a cyber‑security incident affected Instructure’s learning‑management platform nationwide. Canvas, which districts rely on for lesson plans, assignments, and teacher‑student communication, was briefly taken down on Thursday, May 7. Instructure restored the service on Friday, May 8, but only for paid customers; the free‑for‑teacher version remained offline while the company investigated the breach. The incident forced many North Carolina schools to suspend Canvas use pending further guidance.
Chronology of the Two Breaches
Before the Monday restorations, most North Carolina districts had kept Canvas locked down. This caution followed a second breach on May 7 that revealed hackers had not only accessed data but also taken control of certain system features. The first intrusion occurred on April 29, when attackers initially gained entry through a vulnerability in the free‑for‑teacher tier. Both incidents prompted Instructure to pause the Free‑for‑Teacher account program and to notify affected institutions about potential exposure.
Data Exposed: Names, Emails, IDs, and Limited Messages
Instructure stated that the compromised data included student names, email addresses, student ID numbers, and some messages exchanged within the platform. Notably, the breach did not appear to involve highly sensitive information such as Social Security numbers, financial details, or academic records. According to the North Carolina Department of Justice, such data alone does not trigger mandatory breach‑notification statutes unless it could be combined with other information to facilitate financial fraud.
“Pay or Leak” Extortion Tactics and Expert Warnings
The attackers employed a increasingly common “pay or leak” strategy, threatening to publish the stolen data unless a ransom was paid. Cybersecurity investigator Allison Nixon of Unit 221B described the scheme as a scam, noting that perpetrators often exaggerate the value or danger of the data they claim to hold and may not honor promises to delete it after payment. Nixon emphasized that paying the ransom does not guarantee safety and can encourage further criminal activity.
Legal Barriers and Historical Precedent in North Carolina
North Carolina law prohibits government entities, including public school districts, from paying ransoms to cybercriminals. This restriction aims to discourage the financing of illicit enterprises. A prior incident involving PowerSchool—North Carolina’s longtime statewide information system—illustrates the futility of such payments. After paying a ransom to regain access to stolen teacher and student data, many educators later received extortion messages threatening to release the same information unless additional money was sent, proving that the initial payment did not resolve the threat.
Assessing the Severity of the Canvas Data
While any data exposure is concerning, experts judge the Canvas breach to be less severe than incidents like the PowerSchool leak. Names, email addresses, and student IDs alone typically do not meet the threshold for mandatory identity‑theft notifications under state law. However, the information could still be weaponized for phishing campaigns or social‑engineering attacks if combined with other data gleaned from separate sources.
Recommendations for Vigilance Against Phishing and Extortion
Cybersecurity professionals advise students, parents, and staff to remain alert for unsolicited emails or messages requesting personal information or payment, especially those that reference the Canvas breach. Even if the stolen data appears benign, attackers may use contact details to craft convincing phishing attempts aimed at harvesting credentials or distributing malware. Regular password updates, multi‑factor authentication, and skepticism toward unexpected requests are key defensive measures.
Hackers Claim Association with ShinyHunters, Experts Doubt
The intruders have publicly identified themselves as members of the notorious cybercrime group ShinyHunters, known for high‑profile breaches of companies such as AT&T, Salesforce, and Snowflake. Allison Nixon observed that it is common for threat actors to adopt the name of a well‑known gang to amplify fear and leverage the group’s reputation. In this case, Nixon believes the Canvas attackers are distinct from the genuine ShinyHunters crew, asserting she has identified the individuals, knows they have previously targeted her own firm, and that they are already known to law enforcement.
Motivation Behind the Attacks: Seeking Notoriety
Beyond financial gain, Nixon suggested that the hackers’ actions are driven by a desire for fame and notoriety within the underground cyber‑crime community. By aligning themselves with a recognizable brand like ShinyHunters and threatening to leak student data, the perpetrators aim to attract attention, boost their reputation, and potentially negotiate higher ransoms in future schemes. Understanding this motive helps explain why they may resort to intimidation tactics even when the actual data they hold is of limited intrinsic value.