SALT LAKE CITY — A small number of students who logged into the Utah Education Network on Tuesday were faced with an unexpected lesson in honesty.
A technical glitch during a maintenance update of the statewide Canvas learning management system inadvertently gave teacher-level permissions to 278 of the 88,020 logged in that day. A small number of those students then delved into the additional options made available to them and 39 changes to grades were made.
"Fortunately, most people realized something was wrong and logged out," Utah Education Network spokesman Rich Finlinson said. "All the institutions have logs of what happened during that time, so they know exactly who changed what and when."
All colleges and universities in the Utah System of Higher Education; the Ogden-Weber Applied Technology College; and the Granite, Park City and Canyons school districts; as well as Utah's Electronic High School were affected by the software problem.
It is believed that one student from each district had access to course grades, along with older Utah students. Of the public education students, all but one logged out upon seeing the discrepancy, said Brenda Hales, associate superintendent for instructional service with the Utah State Office of Education.
"This isn't an instance of hacking or trying to get in," she said. "It was not their fault they were in that situation."
The data access error occurred between 12:30 a.m. and 1:45 a.m. and again from 11 a.m. to 11:30 a.m. Tuesday, for a total of 105 minutes. An immediate fix was applied by Canvas' host company, Instructure, following the second incident, and all modified data was reverted back to the originally posted grades.
"Obviously, in software development, you test as thoroughly as you can, but sometimes unique instances occur," said Misty Frost, vice president of marketing for Instructure.
Frost said there was no way the company could have seen the opportunity for unauthorized access coming, and the system has been upgraded to prevent it from happening again.
Individual institutions and districts remain responsible for enforcing student codes of conduct and pending consequences for making unauthorized changes to grades in the system, Finlinson said.
"I think the kids who didn't do anything are to be commended," Hales said. "Any of those kids who had access, who did nothing and immediately logged off — that shows character and that's what we would hope young people would do."
She said the system is glad it the problem was resolved quickly and that no sensitive information was released.
"Ensuring the confidentiality of our student data is essential, and we are actively engaged with Instructure to ensure that this kind of incident will not happen again," said Eric Denna, Utah Education Network's acting executive director
Canvas, which replaced the Blackboard Vista learning management computer system during the summer, serves an average of 174,000 Utah students taking courses at higher education and public institutions at any given time.