A few hundred Utah students on Tuesday got an unexpected opportunity to not only see their fellow students' assignment scores online, but change those scores as well as their own.
Utah education officials say the glitch in the state's Canvas learning-management platform resulted in only a few changes, which were quickly fixed.
They stressed the incident was not caused by hackers, but by a software malfunction that has been repaired. No data appear to have been downloaded, and the exposure was limited to names and grades.
The breach occurred during two windows of time, from 12:30 a.m. to 1:45 a.m. and from 11 a.m. to 11:30 a.m. on Tuesday, for a total of 105 minutes.
The glitch occurred while Canvas was undergoing routine maintenance. If the circumstances were just right, students who logged on to Canvas were given teacher-level permissions, according to Misty Frost, vice president of marketing of Instructure, the Utah start-up behind Canvas.
Some 278 students inadvertently tapped into teacher options, and most quickly logged off.
"A couple poked around, some made changes and then self-corrected," Frost said. "It speaks volumes to the integrity of the students."
But about 30 others changed scores. Don't worry: the schools know who you are and what you did. In one instance, according to Frost, a student raised everyone else's score in the class. In another, a student lowered another student's score.
At the University of Utah, 129 students gained teacher-level access.
"We know every score, assignment or quiz that was viewed or altered. All of the altered scores have been restored to their original values. Only 3 percent of Fall semester classes in Canvas were affected. We've identified 11 classes where a student attempted to alter data," wrote Chuck Wight, the U.'s dean of graduate studies, in a campus-wide email Friday.
Another Instructure executive, Mitch Macfarlane, said in a statement: "While Instructure recognizes the significance of this permission error, both the timeliness of the response and the ability to restore data to its original state was made possible due to the existing architecture of Canvas."
He added: "We have added safeguards in the maintenance process and bolstered automated permissions testing."
In late 2010, the Utah Education Network (UEN) contracted with Instructure for $500,000 to manage the online interface between students, the state's public colleges and universities and 10 school districts. The transition from the former Blackboard system to the new Canvas platform was completed July 1.
More than 174,000 students now use Canvas to keep track of their coursework.
Tuesday's breach also affected Ogden-Weber Applied Technology College, the Granite, Park City and Canyons school districts, and Electronic High School, an open-entry/open-exit school in Salt Lake City. One student in each of the districts accessed data.
Of the 88,000 students logged onto Canvas during the maintenance windows Tuesday, only a tiny fraction were given the teacher-level permissions. They had to have been logged on earlier in the day, logged off for at least an hour prior, then logged back on while the maintenance was taking place, according to Frost.
"The door was open for just a crack in the middle of night. That's not to downplay the severity of this. You don't want it to open even a crack," she said. "You can't anticipate every single thing, but when you can, you test for it" to prevent repeat breaches.
Acting UEN director Eric Denna could not be reached. But in the press release Friday afternoon, he stressed that student confidentiality is a crucial priority.
"We are actively engaged with Instructure to ensure that this kind of incident will not happen again," said Denna, who is the U.'s chief information officer and co-chairs the UEN board.