Cyber Incident Victim: Wake County school system
Date:
May 2026
Location:
United States of America
Summary
Following a breach of the Canvas learning management system, a ransomware pop‑up appeared for users demanding payment to stop the release of personal information. The Wake County school system responded by disabling access to Canvas and advising staff and students not to log in or engage with the message. Officials said that while some personal data may have been accessed, there was no evidence that passwords, birthdays, government identifiers or financial details were compromised. The incident also affected other institutions using Canvas, including several universities, which reported similar outages and are monitoring the situation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 7, 2026, students and educators who logged into the Canvas learning management system encountered a pop‑up message that claimed to be from the hacking group ShinyHunters and demanded contact to negotiate a settlement by May 12 or risk public exposure of personal information. The message stated that Instructure, the parent company of Canvas, had been breached again and gave a deadline of the end of the day on May 12, 2026, before data would be leaked. Instructure posted on its website that Canvas was down following the attack. Wake County school system announced on Thursday that it was temporarily shutting off access to Canvas and issued a directive advising users not to log into the system, not to click on any links, not to download files, and not to respond to any messages related to the pop‑up. Wake said it had learned of the data breach on Tuesday and had notified families on Wednesday, stating that personal data of current staff and students may have been accessed but that there was no indication that passwords, dates of birth, government identifiers, or financial information were involved. The ShinyHunters group claimed that its attack on Instructure affected nearly 9,000 schools worldwide and exposed personal identifying information for over 275 million students, teachers and staff, according to Inside Higher Ed. At least some Wake users who logged into Canvas on Thursday received the pop‑up message, which included a link that the group said showed which schools were affected and reiterated the May 12 deadline for negotiation.

Canvas is used by public schools across North Carolina and is part of the state’s statewide learning management system, and the outage affected institutions beyond Wake County, including the University of North Carolina at Chapel Hill and Duke University. UNC‑Chapel Hill reported that Canvas was unavailable due to a system outage caused by the cybersecurity incident at Instructure, which was impacting approximately 9,000 universities and schools nationwide, and noted that while spring semester finals had concluded Thursday, the outage could affect grade submissions due Monday, May 11, 2026, with updates to be provided as more information became available. Duke University confirmed that it had been notified by Canvas of a cybersecurity incident resulting in unauthorized access to data at Canvas from thousands of institutions, including Duke, and that its IT Security Office was closely monitoring the situation and assessing any effect on the university community, with a statement from Nick Tripp, Duke’s chief information security officer, indicating that Instructure’s notification had found no indication that passwords, dates of birth, government identifiers, or financial information were involved. Duke’s IT Security Office said it would continue to monitor the incident and provide updates as new information became available. Wake County’s response included urging users not to engage with the pop‑up message and maintaining the temporary suspension of Canvas access while the incident was under investigation.
