Approximately 260,000 non-public disciplinary records held on behalf of the State Bar of California were exposed to the public and republished on Judyrecords.com, a website that aggregates more than 630 million public court records.
Exposed sensitive records include case number, filing date, case type, case status, and names of defendants and complainant witnesses.
Full records of the case have not been released, the state bar said, and it is not yet known how many names of attorneys and witnesses have come to light. The state bar, which oversees the licensing of attorneys in the US state of California, has also expressed concern that other government entities could be affected.
“We believe the issue is broader than the state bar, as it appears confidential documents from other jurisdictions are also appearing on the site,” the state bar said on its invasion of privacy update page.
As of Saturday evening, the state bar said, the confidential and public documents had been removed from the aggregation website and an investigation was underway.
We apologize to anyone affected by the unlawful posting of non-public data on the website.
“We apologize to anyone affected by the unlawful posting of non-public data on the website,” said Leah Wilson, executive director of the State Bar of California, in A declaration. “We take our obligations to protect confidential data very seriously, and we are doing everything possible to ensure that we resolve this issue quickly and prevent such breaches from happening again.”
Wilson said efforts were being made to alert those affected as soon as possible.
In a series of updates posted on the website information page, the unidentified site operator says confidential disciplinary records were deleted, along with 60,000 public records, on Saturday after the state bar issued its press release acknowledging the data exposure. The records were available at https://discipline.calbar.ca.gov, which is no longer online.
The memo explains that the unidentified operator of Judyrecords.com then emailed the State Bar through the address provided in its press release and denied knowledge of any attempted contact, direct or indirect. .
This is perhaps unsurprising since Judyrecords.com does not provide any contact information for the site operator. The website is registered through GoDaddy.com and has an IP address from the web host OVH in Canada.
A later update says the site operator was fired by the state bar on Sunday by email and accepted an invitation to discuss what happened.
“Provisionally, the number of affected cases is less than 1,000,” the site operator said.
In response to a request from The registera state bar spokesperson said, “We are still investigating and the situation is fluid as you can imagine and at this point we do not have definitive information on these details. Tyler Technologies provides our Odyssey case management system, where this information is stored.”
Tyler Technologies did not immediately respond to a request for comment.
The State Bar Court website offers a public search function. The Odyssey system may have been misconfigured to allow public access to non-public data, but the state bar has yet to officially make that decision.
“The extent to which the external aggregation website was able to obtain non-public information stored in the Odyssey case management system is still under investigation,” the state bar states on its website.
The situation appears to bear some similarity to the Missouri Department of Elementary and Secondary Education (DESE) website, which last year exposed information that should not be public – educators’ Social Security details. .
When St Louis Post-Dispatch reporter Josh Renaud briefed Missouri officials on the exposed data last October, he was accused of hacking because he viewed the Base64-encoded data through the display source feature. of his browser. Although no charges were brought against Renaud, who was cleared in a Missouri Highway Patrol investigation [PDF]Missouri Governor’s Office maintains a state piracy law has been violated.
In this case, the California State Bar has yet to conclude whether there was a hack, as it explains in its FAQ, “Was it a hack?” And how did it happen? »
“Tyler Technologies, the software provider for the State Bar’s Odyssey case management system, has been assigned to investigate what happened, take the necessary steps to rectify the breach, and ensure that something similar will never happen again,” the state bar explains. “The State Bar has also hired a team of computer forensics experts to assist us in our investigation.” ®