Wake County Public Schools (WCPSS) notified parents Wednesday about the data breach, which the district says could have exposed personal data of current students and staff may. District officials said there is no indication that passwords, dates of birth, or financial information were shared.
Thursday afternoon, the school sent another message to parents saying they have temporarily disabled the Canvas icon due to a cybersecurity-related message appearing within Canvas. The message obtained by ABC11 appears to be a ransom demand before information they have access is leaked.
Now, some people were getting a message from the group Shiny Hunters saying it would release the data it got from the breach unless it was paid a random by next week.
The full WCPSS letter to parents:
"We are aware of a cybersecurity-related message currently appearing within Canvas for some users. Out of an abundance of caution, WCPSS has temporarily disabled the Canvas icon within the WakeID Portal while we work with our vendors and technology teams to verify system security and restore normal operations.
This action is being taken proactively to protect staff and student access while the issue is investigated.
Canvas data breach: NC schools, colleges on the lookout for impacts
They warn parents not to attempt to access Canvas through alternate links or bookmarks until further notice. The district also asked them not click on any links, download files, or respond to any messages related to the pop-up."
The North Carolina Department of Public Instruction says Instructure, the parent company of Canvas, notified them of the breach.
In a statement obtained by ABC11, Instructure addressed the disruption seen by users, saying in part:
"Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in. Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused."
Canvas data breach: NC schools, colleges on the lookout for impacts
NC DPI told ABC11 in a statement that reads in part:
"The North Carolina Department of Public Instruction is aware of a cybersecurity incident reported by Instructure, the parent company of Canvas, the learning management system used by many North Carolina public schools. Instructure informed NCDPI on Tuesday afternoon that NCDPI and some North Carolina Public School Units had been impacted.
This is a developing situation. NCDPI does not yet have confirmation on which districts and charter schools are impacted. Instructure is contacting affected districts directly as it confirms that information.
NCDPI is coordinating with Instructure and the North Carolina Department of Information Technology and is in active communication with our Public School Units as the situation evolves."
SEE ALSO | The Gen Z hackers behind major data breaches
Durham Public Schools, Chapel Hill-Carrboro City Schools, and Cumberland County Schools confirmed to ABC11 they were notified that the data breach impacted their students.
For many parents, the news prompted immediate concern.
"It was a little bit just concerning when I first read the text, email this morning," Raleigh parent Jake Howland said.
The breach involves a platform that is part of daily classroom instruction, making the incident especially troubling for families.
"It does bring in the question, you know, what the security is really like around firewalls and those kinds of things and why these breaches may be happening. You know, so that's something hopefully that they'll be looking at," Howland said.
Sophia Walsh is a senior at Cary High School used Canvas every day..She was shocked to learn that the app led to her becoming victim of a cyberattack before she's even in college.
"So we use Canvas for pretty much all our assignments at school." Walsh said. "It definitely scares me. There's a lot of personal information, like we're always like, especially for assignments itself, like we're putting in our personal information. Our schools are all linked through it, like through our fake ID portal. So addresses information like that. Emails, personal emails are all through that."
According to Instructure, the parent company of Canvas, hackers accessed data including student names, email addresses, identification numbers and messages exchanged among users.
The company said passwords, birth dates, government identification numbers and financial information were not compromised.
Instructure says all North Carolina public schools use Canvas, and some universities and colleges use it as well, including Duke, UNC, North Carolina Central and Fayetteville State.
Cybersecurity experts say incidents like this are becoming increasingly common.
"This is part of our everyday lives now, that we just have to operate under the assumption that your information is out there, and people are probably gonna get their hands on it one day," said Eric Bordeau, virtual chief information officer at Logically.
Bordeau said the type of information exposed in this breach may not have immediate consequences but could pose risks over time.
"This particular information that was leaked here, or exposed, it's something that might not impact them for years to come," he said.
Cybersecurity expert Kat Duffy says this isn't the first time schools have been targeted by data breach.
Educational institutions can be a rich target for this type of attack because they combine oftentimes lower cybersecurity infrastructure with higher sensitivity information, as well as a strong incentive to pay so that this information doesn't get out or they don't get locked out of their systems," said Duffy, CFR Senior Fellow for Digital & Cyberspace Policy.
Experts recommend parents take steps to protect their children's information, including encouraging responsible sharing online and using strong, unique passwords.
"Having conversations with children about, you know, not putting more information out there than you absolutely need to," Bordeau said.
Duke University also utilizes Canvas, and said university staff also have been made aware of the situation.
A Duke spokesperson shared the following statement saying:
"Duke has been notified by Canvas, which provides the university's learning management system, of a cybersecurity incident resulting in unauthorized access to data at Canvas from thousands of institutions, including Duke.
The IT Security Office is closely monitoring this incident and is continuing to assess any effect on the university community. At this time, Canvas remains operational and available to Duke faculty, staff, and students."
Officials are still working to determine the full scope of the breach. Several institutions, including North Carolina State University, North Carolina Central, and UNC-Chapel Hill have been contacted for information but have not yet confirmed whether they were affected.
"It's definitely, a bit nerve wracking a little bit," said NC State student Jackson Stokes. "It just makes me concerned for what data that, I could be, what could be out there and what could be, just taken from me."
Walsh added, "Yeah. I think that they need to do a better job protecting our personal information, like as a school system. And I think that they should really make sure that this doesn't become a big issue for us when we don't have a choice."
NC Central told ABC11 that it was informed there had been no evidence of ongoing malicious activity and notified federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency.
ABC11 reached out to the FBI, which declined to comment.
Download the ABC11 News app for breaking news and weather alerts