Data breach at the California State Bar, with 322,000 confidential attorney disclipline files exposed to the public, an excrutiating experience ongoing from 27 February 2022

May 10, 2022 |

Lawyers are far from immune from data breaches.  In fact law firms are attractive targets for ransomware attacks and malicious actors, sometimes state sponsored ones, who are interested in the sensitive information about clients held behind often poorly protected cyber defences. Nothing so nefarious has hit the State Bar of the US state of California with over 322,000 confidential attorney discipline records being  erroneously published on public records aggregator Judyrecords from 15 October 2021 until 26 February 2022.  The Bar claimed that this error was due to  a bug in its case management system. While a a data breach caused by a flaw in the IT system rather than a malicious hack is a minor consolation the mortification level remains high nevertheless.  And it remains a data breach.  The breach was discovered on 24 February 2022.  It has been required to notify 1,300 complainants, witnesses, or respondents.

The episode highlights the importance of checking the operability of IT systems as well as cyber security defences. Clearly the glitch which caused this data breach was due to a malfunction in the system.  That is an explanation, not an excuse.

The State Bar first issued a Media release, State Bar of California Addresses Breach of Confidential Data, on 26 February 2022.  At that time it stated:

The State Bar announced today that it is taking urgent action to address a breach of confidential attorney discipline case data that it discovered on February 24. A public website that aggregates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. The site also appears to display confidential court records from other jurisdictions.

Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted.

The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute.* It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.

The State Bar is taking all necessary steps to address and correct this matter:

    • We have retained a team of IT forensics experts to assist in our investigation.
    • We have tasked our case management system software vendor, Tyler Technologies, to investigate and remediate any issues in their Odyssey case management software or this specific implementation of it.
    • We have contacted the website’s hosting provider and domain name registrar requesting that the confidential data be immediately taken down. Direct contact information for the website owner is not readily available.
    • We have notified law enforcement.*

“We apologize to anyone who is affected by the website’s unlawful display of nonpublic data,” said Leah Wilson, Executive Director. “We take our obligations to protect confidential data with the utmost seriousness, and we are doing everything we can to ensure that we resolve this issue quickly and prevent any such breaches from recurring. We intend to act quickly to provide disclosures to affected individuals.”

The State Bar has set up a webpage to provide ongoing updates and answer questions about the data breach: calbar.ca.gov/data-breach. 

The State Bar’s page providing ongoing updates highlights the difficulties in managing such a tricky situation.  It was forced to make corrections on the run, on 2 and 10 March 2022.  It provided a very useful report on 14 March 2022 where it was able to set out how many public records were involved, 47,964, and how many confidential records were available, 322,525, and how many included personal information, 188.  Importantly, to put the breach into context, it revealed that 60 public records were viewed and 1,034 confidential records were viewed of which 6 contained personal information.  This is a very intelligent way of being transparent, providing accurate information in a timely manner and putting the data breach into a broader context.  Yes the breach was serious but the records were viewed by a relatively small number of people and the personal information was contained in 6 records.

The State Bar of California’s Data Breach update of 6 May 2022 sets out quite clearly its notification plan which also gives a clearer idea of the nature of the breach:

The State Bar is implementing a notification plan for complainants, witnesses, and respondents whose names appeared in the approximately 322,525 confidential records that were available on judyrecords from approximately October 15, 2021, to February 26, 2022. 

Here are highlights of the State Bar’s current notification plan:

    • Group 1: Confidential records with page views
      • The State Bar will notify approximately 1,300 complainants, witnesses, or respondents whose names appeared in the 1,034 confidential records that showed evidence of a page view. 
      • Of these records, 6 contained the case type “Inactive 6007(b)(3) Mental Illness or Substance Abuse.” 
      • Notices to Group 1 will be sent by email, or by postal mail if we do not have email addresses on file.
    • Group 2: Confidential records with no page views, respondents
      • For respondents whose names appeared in confidential records for which there is no evidence of a page view, notices will be sent by email, or by postal mail if we do not have email addresses on file. 
    • Group 3: Confidential records with no page views, complainants and witnesses with email addresses
      • For complainants and witnesses whose names appeared in confidential records for which there is no evidence of a page view, notices will be sent by email if we have email addresses on file.
      • The State Bar has email addresses for approximately 100,000 complainants and witnesses, about 37 percent of those named in unviewed records. 
    • Group 4: Confidential records with no page views, complainants and witnesses with only postal addresses
      • As a last stage of the notification process, complainants and witnesses named in unviewed records for whom we have only a postal address will be sent notices by postal mail.
    • The State Bar has contracted with a third-party administrator to send the notices and respond to inquiries. 
    • Notifications are expected to begin this week, with email distribution expected to take five to seven business days. Postal mail distribution, especially for Group 4, is expected to take two to four weeks.

Although the State Bar is not legally required to do so, it has committed to notifying those whose names or other information appeared in confidential records indexed on judyrecords. “We are taking these steps because we believe it’s the right thing to do,” said Leah Wilson, Executive Director. “The State Bar is committed to transparency, and maintaining the public’s trust in our agency is paramount. That said, we had to balance our commitment to be transparent with considerations of costs, logistics, and fiscal prudence. We believe we have struck the right balance.”

It is quite a good template.  Not surprising given it is drafted by lawyers.

The commentary by Judyrecords about the breach and what happened later is unvarnished, informative and, in part, quite hilarious.  It relevantly provides (and there is a whole lot of other commentary that is not particularly relevant):

What Happened With Tyler Technologies

First off, thanks for taking the time to read this. If you’re here, you’re probably already familiar with what’s happened. If not, check out here.

If you’re already familiar with all that or aren’t interested in reading through it, here’s the setup:

  — Sat, Feb 26th around 7pm, California State Bar puts out the press release here (updates here), announcing that it is taking urgent action against a breach and unlawful display of 260,000 nonpublic State Bar attorney discipline records. Forensics experts have been retained, law enforcement has been contacted, the software vendor has been contacted, my domain registrar and web host have been notified.   — Sat, Feb 26th around 7:30pm, news websites begin picking up the story, the first of which I saw here, and the corresponding tweets here and here, hashtag #hackers on each.

And I run judyrecords. Holy. Shit.

I see these around 11pm, along with several other news websites already picking up the story, immediately stop browsing reddit, and start rifling through a temp file for the closest thing that could delete the CA State Bar cases off the index.

Meeting With California State Bar. Monday Morning.

The night I learned of the issue, I’d immediately called out the CA State Bar saying that all the records accessed were publicly available (confidential & non-confidential). By Monday morning, however, the story had already hit local and national media. And I was a hacker. In what can only be described as simultaneously the most bizarre and unbizzare meeting I have ever had, by the time the Monday morning meeting arrived, everyone already knew what the problem was. Direct case access did not perform any access control check before returning case data. Holy. Fucking. Shit. It’s one of those things that almost doesn’t compute, honestly. A security measure so fundamental, and without which the system can’t even be called secure. There’s no buildup or grand reveal on the technical side of things, if you were hoping for one. You might be wondering then, what’s the most reliable way to size this up? What information available would have the highest liklihood of accurately reflecting what is actually true? And I would simply suggest looking at what happened in the following days. Tyler starts taking their portals offline accross the county. I disable the search on judyrecords, and disable all Tyler Technologies cases from direct access. Silence.

The Great Retraction

Given the severity of the software defect, I’d like to think it was an entirely foregone conclusion about what the Bar’s response would be after the initial meeting. The California State Bar released the following statement that same day:

The State Bar has continued its investigation with the help of an IT security firm, and has also been in contact with the owner of the judyrecords site, who has been very responsive and collaborative. It is now the State Bar’s belief that there was no malicious “hack” of its system. Instead, it appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords when they attempted to access the public records, using a unique access method. The State Bar is working with Tyler Technologies, the maker of the Odyssey system, to remediate the security vulnerability, which we believe may not be unique to the State Bar’s implementation and could impact other users of Odyssey systems.

Within the span of 48 hours, I had metamorphisized from an ordinary citizen to a hacker. And to an ordinary citizen, once more. The least biased reporting I’ve found up to this point here.

The most recent story has been covered by the San Diego Union Tribune with State Bar notifies 1,300 people identified in data breach which provides:

The State Bar of California has begun notifying individuals whose names appeared in more than 322,000 confidential attorney discipline records published online in a massive data breach.

The State Bar said Friday it will contact 1,300 complainants, witnesses or respondents whose names appeared in more than a thousand confidential case records that appeared online.

“The State Bar is committed to transparency, and maintaining the public’s trust in our agency is paramount,” State Bar Executive Director Leah Wilson said in a statement.

The documents, published by public records aggregator Judyrecords, erroneously remained online from Oct. 15, 2021, to Feb 26, 2022.The breach, first reported by the Southern California News Group, was not a hack, but rather a security vulnerability in the State Bar’s case management system. As a result, the confidential records were unintentionally swept up and published by Judyrecords.

Access to State Bar public records has been restored and the vulnerability has been corrected, the news group reported Saturday.

The story has been covered in the media from 27 February 2022 with stories in the LA Times, ID Theft Centre, Reuters and CBS News.

Leave a Reply