Wake County Schools Confirm Canvas Breach, Push Multi‑Factor Authentication

Context The district uses Canvas, a learning‑management system from Instructure, to host assignments and grades for teachers and students across North Carolina. The platform has been in statewide use since 2015 under an agreement with the North Carolina Department of Public Instruction.

Key Facts - The district learned of the incident on Tuesday, linking it to unauthorized activity on April 25. - Officials believe student and staff records may have been accessed, but no passwords, birth dates, government IDs, or financial data appear to have been taken. - Canvas issued an advisory recommending that all customers enable multi‑factor authentication (MFA) on privileged accounts, audit administrator privileges, and rotate API tokens or keys. - The breach is under investigation by both the school district and Instructure, with ongoing communication to determine the full scope.

What It Means The exposure of educational records highlights the risk of credential‑based attacks on cloud‑based platforms. While no highly sensitive personal identifiers were compromised, the potential view of grades, attendance, and class materials can still affect privacy and compliance with FERPA, the federal student‑privacy law.

Mitigations - Enable MFA on all admin and privileged accounts to add a second verification step beyond passwords. - Audit admin roles quarterly; remove unnecessary privileges and enforce the principle of least privilege. - Rotate API tokens regularly and store them in secure vaults; revoke any tokens that are no longer in use. - Apply patches promptly; monitor vendor advisories for CVEs (Common Vulnerabilities and Exposures) affecting Canvas or its underlying infrastructure. - Deploy detection rules for MITRE ATT&CK techniques T1078 (Valid Accounts) and T1110 (Brute Force) to spot suspicious login attempts. - Conduct phishing simulations to reduce credential‑theft risk among staff and students.

Looking Ahead Watch for updates on the investigation’s findings, any disclosed threat‑actor attribution, and whether additional districts adopt similar MFA mandates.