Brief Data Access Error within Canvas Learning Management System
Friday, Sep. 14, 2012
September 14, 2012 — This week during a maintenance update of the statewide Canvas learning management system, hosted by Utah-based software company Instructure, teacher-level permissions were inadvertently granted to select students, allowing them access to assignment scores in specific courses.
The unauthorized access occurred during two windows for a total of 105 minutes: Tuesday morning between 12:30-1:45 a.m. and again from 11:00-11:30 a.m. An immediate fix was applied after the second incident.
All colleges and universities in the Utah System of Higher Education were affected. Canvas software logs specifically identify all activity on the system during the relevant time periods. A review of the data shows that of the 174,000 students in the Utah System of Higher Education, 278 students were given teacher-level access during the periods in question and therefore were able to view grades, and 39 changes were made. When discovered, all modified data was reverted back to the original grades.
At Utah State University, the logs show that a total of 73 USU students temporarily had teacher-level permissions in Canvas. Every USU instructor affected by the incident has been contacted directly with details. Any USU instructor with questions or concerns about this incident, can contact Tyler Clair at 435-797-3581 or Neal Legler at 435-797-1903.
“Instructure is committed to the data integrity of our schools and took immediate action to resolve this issue,” said Mitch Macfarlane, Instructure’s vice president of Client Services and Products. “While Instructure recognizes the significance of this permission error, both the timeliness of the response and the ability to restore data to its original state was made possible due to the existing architecture of Canvas. We have added safeguards in the maintenance process and bolstered automated permissions testing.”
Ogden-Weber Tech College also experienced the incident. In addition, the Granite, Park City and Canyons school districts along with Electronic High School were affected, with one student in each district accessing the data. Universities and districts affected have compiled data logs of specific student activity and have contacted instructors who will determine an appropriate course of action in conjunction with school leadership.
“Ensuring the confidentiality of our student data is essential, and we are actively engaged with Instructure to ensure that this kind of incident will not happen again,” said UEN acting executive director Eric Denna, who is also the higher education co-chair of the UEN board.
Devin Knighton, public relations director, Instructure (801-722-8187)
Eric Denna, acting executive director, UEN (801-581-3100)
Brenda Hales, associate superintendent for instructional service, USOE (801-538-7515)