|
Members of the University of Maine System Community,
I am writing to inform you of an incident that occurred within the Brightspace Learning Management System (LMS) over the holiday weekend and to clarify the nature of the incident and the University of Maine System (UMS) response.
To start, it is important to note that the incident was the result of a technical alteration to a process UMS uses to synchronize course rosters between our official MaineStreet student information system and the Brightspace learning management system and NOT the result of an internal or external hacking event. A permanent fix has been deployed and measures taken to ensure no further synchronization errors occur. Furthermore, NO MaineStreet student records have been compromised; no access was granted to official student records or to change grades. The issue was contained wholly within the Brightspace LMS which includes limited student information, mostly considered directory information (Name, Email Address) along with University ID, student enrollment and course-related activity – but not final official grades.
On Thursday 11/24, we received an incident report from a student indicating they had gained additional access to their assigned Brightspace course shell. Analysis revealed that an error in the account synchronization process between MaineStreet and Brightspace had resulted in a total of 242 students being inadvertently granted elevated access privileges in the Brightspace LMS. A fix was deployed on Friday 11/25 to restore proper permissions to the affected accounts.
A full review of the audit logs obtained from Brightspace has been underway since the time the incident was reported and we have been able to determine that a total of 212 course access events across 92 unique courses had occurred amongst a subset of the population of students granted elevated privileges (80 total). Of these events, the vast majority were the result of a student accessing a course in which they were legitimately enrolled. To date, we have identified a total of 3 courses that were accessed by a student who was not enrolled in the course. The total enrollment across all 92 courses accessed during the incident period is 2,463, which represents the population of students who may have had their Brightspace profile information and/or course enrollments viewed by an unauthorized individual. Email communications to this population of students, along with the faculty associated with these courses, is currently being distributed by the campuses to alert them of the nature of the event.
Currently, we are assessing the log of Brightspace gradebook items to determine if any intentional alterations were made by individuals with elevated privileges during the affected time period. Any unauthorized changes to these gradebook items will be shared with the instructor and restoration of previous scores will be coordinated.
We are grateful to the individuals who alerted us to this issue as well as everyone involved with investigating and resolving the issue promptly.
Thank you for your patience and assistance as we gathered the facts necessary to distribute this message to you.
Sincerely,
| 
