Cyber Incident Victim: Charlotte-Mecklenburg Schools

On May 6, 2026, Charlotte-Mecklenburg Schools (CMS) announced that its students and employees were among the millions affected by a cybersecurity attack on the Canvas learning management system. The breach occurred within Instructure, the third‑party vendor that provides Canvas to the district, and took place over the weekend preceding the announcement. Officials emphasized that the incident did not involve or compromise CMS’s own network or internal systems. The Canvas breach follows a previous incident in which PowerSchool’s software was hacked, exposing personal information for millions nationwide. CMS officials noted that the exposed data consisted of personal information, but there was no indication that passwords, dates of birth, government identifiers, or financial information were compromised.

Upon learning of the breach, CMS initiated precautionary measures that included reviewing vendor communications, auditing system token access, and reviewing administrative access. The district stated that there is no evidence of ongoing unauthorized access. CMS remained in communication with Instructure and coordinated its response with the North Carolina Department of Public Instruction. Officials notified employees of the incident and directed staff not to click on suspicious links or emails. Employees were instructed to report any unusual activity through the My Support portal or the CMS Technology HelpDesk.

As of May 6, Instructure reported that it had identified, contained, and remediated the issue shortly after detection. The Canvas platform remained fully operational following the remediation. CMS indicated that it would continue to monitor the situation and provide updates as new information became available. The article described the story as developing, with further details expected to emerge.