Wake County Schools Confirm Second Canvas Data Breach in Two Years

Context On April 25, the district’s Canvas learning management system was compromised. Parents received notice on the following Tuesday, eleven days after the intrusion. This follows a 2024 incident in which a PowerSchool contractor’s credentials were stolen, revealing names, addresses, and email addresses.

Key Facts - The breach affected the Canvas platform used for assignments, grades, and parent portals. No evidence shows passwords, dates of birth, or financial data were taken. - District officials confirmed that personal data of students and staff were accessed, but the exact record count has not been released. - Lisa Baildon, a parent of a Millbrook High student, asked who accessed the data and what they might do with it. Wendy Carvajal, a teacher‑parent, expressed worry about the protection of personal information. - Cybersecurity experts advise families to watch for phishing emails that impersonate the school, enable multi‑factor authentication (MFA) on all accounts, and avoid password reuse. A password manager can simplify unique credential generation. - The North Carolina Department of Public Instruction has already migrated to a new student‑data system after the 2024 breach, but Canvas remains a critical vector for school communication.

What It Means The repeat breach highlights persistent gaps in the district’s security controls around third‑party SaaS applications. Attackers likely exploited a misconfigured API endpoint or an unpatched vulnerability in Canvas, a common target for credential‑stuffing and token‑theft techniques cataloged under MITRE ATT&CK T1078 (Valid Accounts). The lack of MFA on user accounts would have facilitated lateral movement once initial access was gained.

Mitigations - Enable MFA on every Canvas account and any linked school services. MFA adds a second verification factor, such as a code sent to a phone, reducing reliance on passwords alone. - Patch and harden the Canvas environment. Apply any vendor‑issued updates and verify that default credentials are disabled. - Monitor for anomalous activity using log aggregation and alerting for unusual login locations or times, aligning with ATT&CK technique T1110 (Brute Force). - Educate users on phishing detection. Conduct regular training for students, parents, and staff on how to verify sender domains and avoid clicking suspicious links. - Implement least‑privilege access. Restrict user permissions to only the data needed for their role, limiting exposure if an account is compromised. - Conduct a post‑incident review. Document the attack timeline, vector, and response actions to improve incident‑response playbooks.

The district’s next steps will likely include a forensic audit of Canvas logs and a review of third‑party risk management policies. Stakeholders should watch for an official remediation roadmap and any updates to state‑wide education data security standards.

*What to watch next:* the release of a detailed incident report from Wake County Schools and any new guidance from the North Carolina Department of Public Instruction on SaaS security.