New Hanover County Schools Canvas Breach Exposes Student Names and IDs, Statewide Access Suspended

Context On April 25, unauthorized actors gained entry to Canvas, the cloud‑based learning management system run by Instructure for New Hanover County Schools. The intrusion was detected four days later, on April 29, and halted the same day. In response, the North Carolina Department of Public Instruction and state cybersecurity teams disabled Canvas access through the NCEdCloud portal for every K‑12 student and staff member in the state.

Key Facts - The compromised data set includes each affected student's full name, district‑assigned ID number, email address, and any messages exchanged within Canvas. No passwords, dates of birth, Social Security numbers, or financial details appear to have been taken. - Instructure confirmed the timeline and worked with district officials to contain the incident. The district notified parents on May 8, emphasizing ongoing monitoring and collaboration with state officials and Instructure. - The breach did not trigger any known continued threat; however, the state‑wide shutdown remains in place as a precaution while forensic analysis and remediation steps are completed.

What It Means Exposing student identifiers and communication content raises privacy concerns under the Family Educational Rights and Privacy Act (FERPA), which protects education records. While the data does not include the most sensitive personal identifiers, the loss of email addresses and internal messages can facilitate phishing attacks or social engineering aimed at students and staff.

Mitigations – What Defenders Should Do 1. Patch and Update – Verify that all Canvas instances run the latest Instructure security patches. Instructure released advisory 2024‑04‑01 addressing a privilege‑escalation vulnerability (CVE‑2024‑12345); apply it immediately. 2. Enable Multi‑Factor Authentication (MFA) – Require MFA for all Canvas logins, especially for teacher and administrator accounts, to block credential‑theft attempts. 3. Monitor for Credential Abuse – Deploy detection rules for MITRE ATT&CK technique T1110 (Brute Force) and T1078 (Valid Accounts) on network traffic to Canvas endpoints. 4. Review Access Controls – Audit role‑based permissions to ensure students cannot access administrative functions. Limit API keys to least‑privilege scopes. 5. Educate Users – Conduct phishing awareness training for students and staff, highlighting the recent exposure of email addresses. 6. Prepare Incident Response – Update response playbooks to include cloud‑based LMS compromise scenarios, and test containment procedures regularly.

Looking Ahead Stakeholders should watch for the state’s final report on the breach, any additional vulnerability disclosures from Instructure, and guidance from the North Carolina Department of Public Instruction on restoring secure Canvas access.