The State Bar of California has launched an investigation to discover how hundreds of thousands of confidential attorney disciple records were exposed online.
The records were discovered on February 24 on a public website that aggregates nationwide court case records. While the full case records were not accessible, data compromised in the incident included case number, file date, case type, case status and respondent and complaining witness names.
In a statement released Saturday, the State Bar said that it was taking “urgent action” to address the breach and had notified law enforcement of the incident.
Discovered on the website alongside the 260,000 confidential attorney discipline records were approximately 60,000 public State Bar Court case records.
The State Bar said that the site “also appears to display confidential court records from other jurisdictions” but did not specify which ones.
“It appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords when they attempted to access the public records, using a unique access method,” said the State Bar.
“The State Bar is working with Tyler Technologies, the maker of the Odyssey system, to remediate the security vulnerability, which we believe may not be unique to the State Bar’s implementation and could impact other users of Odyssey systems.”
Direct contact information was not readily available for the website owner on which the confidential data was exposed. However, the State Bar has contacted the website’s hosting provider and domain name registrar requesting that the confidential data be immediately taken down.
“We apologize to anyone who is affected by the website’s unlawful display of nonpublic data,” said Leah Wilson, executive director of the State Bar.
“We take our obligations to protect confidential data with the utmost seriousness, and we are doing everything we can to ensure that we resolve this issue quickly and prevent any such breaches from recurring.
The State Bar said that as of late Saturday, February 26, all State Bar records, confidential and public, had been removed from the site, with a note confirming this on the site.