Quarter of a million lawyer disciplinary records leak
When it comes to the privacy of witnesses and attorneys, this Bar is set low
Updated Approximately 260,000 nonpublic disciplinary records stored on behalf of The State Bar of California were found to be exposed to the public and to have been republished on Judyrecords.com, a website that aggregates over 630 million public court records.
The sensitive records exposed include the case number, filing date, case type, case status, and respondent and complaining witness names.
Full case records were not disclosed, the State Bar said, and it's not yet clear how many attorney and witness names were revealed. The State Bar, which oversees the licensing of attorneys in the US state of California, also expressed concern that other government entities may be affected.
"We believe the issue is broader than the State Bar, because it appears that confidential records from other jurisdictions are appearing on the site as well," the State Bar said on its privacy breach update page.
As of late Saturday, the State Bar said, the confidential and the public documents had been removed from the aggregation website and an investigation is ongoing.
We apologize to anyone who is affected by the website’s unlawful display of nonpublic data
"We apologize to anyone who is affected by the website’s unlawful display of nonpublic data," said Leah Wilson, executive director of the State Bar of California, in a statement. "We take our obligations to protect confidential data with the utmost seriousness, and we are doing everything we can to ensure that we resolve this issue quickly and prevent any such breaches from recurring."
Wilson said efforts are being made to alert those affected as quickly as possible.
The website Judyrecords.com, which gathers court records from multiple legal databases and makes them available at no cost so they can be searched, says in its Terms of Service, "All records on this site were made public by their respective agencies and are part of the public domain."
In a series of updates posted to the website's info page, the unidentified site operator says the confidential disciplinary records were removed, along with 60,000 public records, on Saturday after the State Bar issued its press release acknowledging the data exposure. The records were available at https://discipline.calbar.ca.gov, which is no longer online.
The note explains that the unidentified operator of Judyrecords.com then emailed the State Bar via the address provided in its press release and denied being aware of any attempts at contact, direct or indirect.
That's perhaps not surprising since Judyrecords.com provides no information to contact the site operator. The website is registered through GoDaddy.com and has an IP address from web host OVH in Canada.
A subsequent update says the site operator was emailed back by the State Bar on Sunday and accepted an invitation to discuss what happened.
"Tentatively, the number of affected cases is less than 1,000," the site operator said.
- Emails, chat logs, more leaked online from far-right militia linked to US Capitol riot
- Would be so cool if everyone normalized these pesky data leaks, says data-leaking Facebook in leaked memo
- After oil giant Shell hit by Clop ransomware gang, workers' visas dumped online as part of extortion attempt
- Ransomware masterminds claim to have nabbed 53GB of data from Intel's Habana Labs
In response to an inquiry from The Register, a spokesperson for the State Bar said, "We are still investigating and it is a fluid situation as you might imagine and at this point, we do not have definitive information on these details. Tyler Technologies provides our Odyssey case management system, which is where this information is stored."
Tyler Technologies did not immediately respond to a request for comment.
The State Bar Court website offers a public search function. It may be that the Odyssey system was misconfigured to allow public access to nonpublic data, but the State Bar has not yet officially made that determination.
"The extent to which the external aggregating website was able to obtain nonpublic information that was stored in the Odyssey case management system is still being investigated," the State Bar says on its website.
The situation appears to have some similarity to the Missouri's Department of Elementary and Secondary Education's (DESE) website, which last year exposed information that should not be public – the Social Security details of educators.
When St Louis Post-Dispatch reporter Josh Renaud informed Missouri officials about the exposed data last October, he was accused of hacking – because he viewed the Base64 encoded data via his browser's view-source function. Though no charges were filed against Renaud, who was cleared in a Missouri Highway Patrol investigation [PDF], the Missouri Governor's Office maintains a state hacking law was broken.
In this instance, the State Bar of California has not yet concluded whether any hacking occurred, as it explains in its FAQ, "Was this a hack? And how did this happen?"
"The State Bar’s Odyssey case management system software vendor, Tyler Technologies, has been tasked with investigating what happened, taking the steps needed to rectify the breach, and ensuring something similar does not happen again," the State Bar explains. "The State Bar also retained a team of IT forensics experts to assist in our investigation." ®
Updated to add
The State Bar has, following an investigation and discussion with Judyrecords.com, told us it believes there was "no malicious 'hack' of its system." Instead, we're told, "it appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by Judyrecords when they attempted to access the public records, using a unique access method."
Tyler Technologies is said to be fixing the flaw, which may be present in other Odyssey deployments. Nonpublic State Bar records have been purged from Judyrecords.com.
“Our obligation and responsibility are to the respondents and witnesses whose nonpublic information may have been shared, and again I apologize to them for this breach,” said Leah Wilson, State Bar executive director.
“We have confirmed that this was not a hack, but rather an access vulnerability problem with our Odyssey system. We thank Judyrecords for quickly removing the files and look forward to similarly working expeditiously with Tyler Technologies to take the necessary steps to address this issue.”