Approximately 260,000 nonpublic disciplinary records stored on behalf of The State Bar of California were found to be exposed to the public and to have been republished on Judyrecords.com, a website that aggregates over 630 million public court records.
The sensitive records exposed include the case number, filing date, case type, case status, and respondent and complaining witness names.
Full case records were not disclosed, the State Bar said, and it’s not yet clear how many attorney and witness names were revealed. The State Bar, which oversees the licensing of attorneys in the US state of California, also expressed concern that other government entities may be affected.
“We believe the issue is broader than the State Bar, because it appears that confidential records from other jurisdictions are appearing on the site as well,” the State Bar said on its privacy breach update page.
As of late Saturday, the State Bar said, the confidential and the public documents had been removed from the aggregation website and an investigation is ongoing.
We apologize to anyone who is affected by the website’s unlawful display of nonpublic data
“We apologize to anyone who is affected by the website’s unlawful display of nonpublic data,” said Leah Wilson, executive director of the State Bar of California, in a statement. “We take our obligations to protect confidential data with the utmost seriousness, and we are doing everything we can to ensure that we resolve this issue quickly and prevent any such breaches from recurring.”
Wilson said efforts are being made to alert those affected as quickly as possible.
The website Judyrecords.com, which gathers court records from multiple legal databases and makes them available at no cost so they can be searched, says in its Terms of Service, “All records on this site were made public by their respective agencies and are part of the public domain.”
In a series of updates posted to the website’s info page, the unidentified site operator says the confidential disciplinary records were removed, along with 60,000 public records, on Saturday after the State Bar issued its press release acknowledging the data exposure. The records were available at https://discipline.calbar.ca.gov, which is no longer online.
The note explains that the unidentified operator of Judyrecords.com then emailed the State Bar via the address provided in its press release and denied being aware of any attempts at contact, direct or indirect.
That’s perhaps not surprising since Judyrecords.com provides no information to contact the site operator. The website is registered through GoDaddy.com and has an IP address from web host OVH in Canada.
A subsequent update says the site operator was emailed back by the State Bar on Sunday and accepted an invitation to discuss what happened.
“Tentatively, the number of affected cases is less than 1,000,” the site operator said.
In response to an inquiry from The Register, a spokesperson for the State Bar said, “We are still investigating and it is a fluid situation as you might imagine and at this point, we do not have definitive information on these details. Tyler Technologies provides our Odyssey case management system, which is where this information is stored.”
Tyler Technologies did not immediately respond to a request for comment.
The State Bar Court website offers a public search function. It may be that the Odyssey system was misconfigured to allow public access to nonpublic data, but the State Bar has not yet officially made that determination.
“The extent to which the external aggregating website was able to obtain nonpublic information that was stored in the Odyssey case management system is still being investigated,” the State Bar says on its website.
The situation appears to have some similarity to the Missouri’s Department of Elementary and Secondary Education’s (DESE) website, which last year exposed information that should not be public – the Social Security details of educators.
When St Louis Post-Dispatch reporter Josh Renaud informed Missouri officials about the exposed data last October, he was accused of hacking – because he viewed the Base64 encoded data via his browser’s view-source function. Though no charges were filed against Renaud, who was cleared in a Missouri Highway Patrol investigation [PDF], the Missouri Governor’s Office maintains a state hacking law was broken.
In this instance, the State Bar of California has not yet concluded whether any hacking occurred, as it explains in its FAQ, “Was this a hack? And how did this happen?”
“The State Bar’s Odyssey case management system software vendor, Tyler Technologies, has been tasked with investigating what happened, taking the steps needed to rectify the breach, and ensuring something similar does not happen again,” the State Bar explains. “The State Bar also retained a team of IT forensics experts to assist in our investigation.” ®