NCDPI Cybersecurity Update: May 2026

Update #2, May 8, 2026

On May 6 (see below), we notified you that the recent data breach at Canvas, our state’s learning management system, involved student information in Orange County Schools. 

Here is what we have learned from Instructure (the parent company of Canvas) and the NC Department of Public Instruction (NCDPI):

• Instructure confirmed that “names, email addresses, and student ID numbers, as well as messages among users (between teachers and students)” were involved. They said that “passwords, dates of birth, government identifiers, or financial information” were not involved.
• State Superintendent Maurice “Mo” Green shared a May 6 update after the initial breach, and followed up on May 7 alerting districts that NCDPI shut down access to Canvas for all NCEDCloud users, out of an abundance of caution.
• Canvas will not be available for any teachers or students in Orange County Schools or anywhere in North Carolina until further notice.

What to know: Check your sources

It’s possible that scammers will use information about your child to make messages seem official, asking you for money or other personal information, such as passwords. We want you to know how to keep your data secure:

• If you did not initiate communication, do not respond to messages claiming to be from OCS, NCDPI, Canvas, or Instructure. 
• Instead, visit official websites or apps directly to check for messages or updates. 
• Never share new personal information by email, text message, or phone unless you independently confirm the request is legitimate. 
• Changing passwords regularly is also good safety practice, especially if you or your child reuse the same password in multiple accounts. 

Bottom line: If you are unsure of new communication about your child and cannot verify the source, please contact your child’s school. 

We appreciate your continued support of Orange County Schools.

__________
 

Update #1, May 6, 2026

We have been alerted to a cybersecurity incident involving Instructure, the parent company of Canvas, which is North Carolina’s statewide learning management system. Here is what we have received from the NC Department of Public Instruction:

“Canvas (Instructure) experienced a cybersecurity incident on April 25, 2026, where an attacker accessed some customer data, including personal information, but not passwords, Social Security numbers, financial data, or dates of birth. The breach was detected on April 29 and fully contained by April 30, with the vulnerability fixed and no ongoing threat identified.”

Last night (May 5, 2026), we received confirmation that this breach included Orange County Schools. Canvas remains operational, and details are being investigated by federal authorities and forensic experts are investigating. 

OCS has not seen any disruption of services related to this incident, and we are unable to advise whether any individual’s data has been compromised. As with any security incident, all users should remain diligent for phishing attempts or suspicious communications.

While we await further updates, we remain committed to supporting students, families, and staff with transparency and care. We always appreciate your continued support of Orange County Schools.