Data Breach Updates

This webpage provides updates and answers questions about a breach of confidential case profile data recently discovered by the State Bar.

 

June 3, 2022

As an update to the State Bar’s notification plan outlined below, notifications have been sent to Group 1 listed below: the 1,300 complainants, witnesses, or respondents whose names appeared in the 1,034 confidential records that showed evidence of a page view. Notifications to Groups 2, 3, and 4 listed below are in progress, with an expected completion date of June 17.


May 6, 2022

The State Bar is implementing a notification plan for complainants, witnesses, and respondents whose names appeared in the approximately 322,525 confidential[1] records that were available on judyrecords from approximately October 15, 2021, to February 26, 2022. 

Here are highlights of the State Bar’s current notification plan:

  • Group 1: Confidential records with page views
    • The State Bar will notify approximately 1,300 complainants, witnesses, or respondents whose names appeared in the 1,034 confidential records that showed evidence of a page view. Sample witness notice | Sample respondent notice
    • Of these records, 6 contained the case type “Inactive 6007(b)(3) Mental Illness or Substance Abuse.” Sample notice
    • Notices to Group 1 will be sent by email, or by postal mail if we do not have email addresses on file.
  • Group 2: Confidential records with no page views, respondents
    • For respondents whose names appeared in confidential records for which there is no evidence of a page view, notices will be sent by email, or by postal mail if we do not have email addresses on file. Sample notice
  • Group 3: Confidential records with no page views, complainants and witnesses with email addresses
    • For complainants and witnesses whose names appeared in confidential records for which there is no evidence of a page view, notices will be sent by email if we have email addresses on file.
    • The State Bar has email addresses for approximately 100,000 complainants and witnesses, about 37 percent of those named in unviewed records. 
  • Group 4: Confidential records with no page views, complainants and witnesses with only postal addresses
    • As a last stage of the notification process, complainants and witnesses named in unviewed records for whom we have only a postal address will be sent notices by postal mail.
  • The State Bar has contracted with a third-party administrator to send the notices and respond to inquiries. 
  • Notifications are expected to begin this week, with email distribution expected to take five to seven business days. Postal mail distribution, especially for Group 4, is expected to take two to four weeks.

Although the State Bar is not legally required to do so, it has committed to notifying those whose names or other information appeared in confidential records indexed on judyrecords. “We are taking these steps because we believe it’s the right thing to do,” said Leah Wilson, Executive Director. “The State Bar is committed to transparency, and maintaining the public’s trust in our agency is paramount. That said, we had to balance our commitment to be transparent with considerations of costs, logistics, and fiscal prudence. We believe we have struck the right balance.”

Other updates: Judyrecords has posted updates here. Tyler Technologies has posted updates here.

March 15, 2022

Public access to the State Bar Court public records portal has been restored. The portal vulnerability previously identified was remediated by Tyler Technologies, and the results were confirmed both internally and by our third-party IT security team.

March 14, 2022

The ongoing investigation by the State Bar’s IT incident response team, with assistance from an expert third-party forensic firm, has yielded updated counts of public and confidential[1] State Bar records that were available on the judyrecords website—and which of those records were viewed on that site—during the period between mid-October and late February that the site made those records available. Our initial estimates were based on manual searches performed on the judyrecords site before the State Bar of California data was taken offline. Judyrecords subsequently provided us with a complete copy of the State Bar’s data from its site, which enabled us to more accurately inventory both the public and confidential records available and viewed. While our investigation is ongoing, we are providing this update for purposes of transparency. 

Available records (Counts at this time) 
  • Public records available: 47,964 
  • Confidential records available: 322,525 
  • Of confidential records that were available, 188 included personal information.[2] For example, 159 records pertained to inactive enrollment due to mental illness or substance abuse. One record included a Social Security number. 
Viewed records (Counts at this time) 
  • Public records that were viewed: 60 
  • Confidential records that were viewed: 1,034  
  • Of confidential records that were viewed, 6 records contained personal information. 

The State Bar plans to notify complainants, witnesses, and respondents whose names appeared in the approximately 322,525 confidential records that were available on judyrecords during the period in question, though the current evidence suggests that only 1,034 of those were actually viewed. We continue to investigate this incident and will provide additional details about the notification plan and timeline as soon as possible. 

The State Bar takes the data breach seriously and is devoting significant resources to assess the impact and pursue all available remedies. After interviewing several law firms with well-respected privacy and data security practices, the State Bar has retained Cooley LLP to advise on matters related to the data breach. Cooley partners Tiana Demas, Travis LeBlanc, and Michael Rhodes have national reputations in cyber/data/privacy, with California and other government experience that makes them uniquely qualified to represent the State Bar. Reflecting its commitment to public service, Cooley is providing its impressive resources and experience to serve the State Bar at substantially discounted rates. The majority of Cooley’s rates and costs will be covered by the State Bar’s insurance. The State Bar and its carrier intend to pursue reimbursement from Tyler Technologies.

The State Bar Court public records portal remains unavailable. We are continuing to work with Tyler Technologies to remediate the portal and will provide further updates on the schedule for resuming online operations as they are available. [3/15 update: The portal is back online.]

For more information, Tyler Technologies, the provider of the impacted Odyssey Portal, has published a webpage on the Odyssey Portal data harvesting and its implications for customers.

[1] [1] “Confidential” records are those defined as nonpublic under the Business and Professions Code applicable to State Bar records, including information concerning closed discipline complaints that did not result in charges, and reference to mental health/substance abuse.

[2] [2] Although the State Bar is not bound by California consumer privacy law, for purposes of its review and notice protocol, the State Bar has utilized the definition of personal information contained in that law (Cal. Civ. Code §§ 1798.29 and 1798.82).

March 10, 2022

In its initial February 26 news release, the State Bar expressed concerns that its confidential records may have been accessed unlawfully. In that statement, the State Bar did not distinguish between unlawful access and unlawful publication of the records. This was in error. The State Bar does not contend that publication of records acquired lawfully would be unlawful. We thank the First Amendment Coalition for raising these important distinctions with us.

March 2, 2022

Correction to our 2/26 news release: The State Bar did not ultimately alert law enforcement, as originally stated. Based on limited information available at the time, which suggested that an unlawful access of the State Bar system may have occurred, we had intended to prepare a law enforcement referral as part of our effort to respond quickly and responsibly and fulfill any obligations to protect confidential records and those impacted. When it then appeared that the site owner’s access of confidential records was inadvertent, we held off on making the law enforcement report. When the site owner was informed that the records are confidential pursuant to statute and of the public policy supporting confidentiality of those records, they voluntarily assisted the State Bar and removed access to the records from the site. 

At this time, the State Bar is preparing to report the vulnerability to the Common Vulnerabilities and Exposures Program (CVE), an international, community-driven effort to identify, define, and publicly catalog cybersecurity vulnerabilities. [Update: this report was submitted the week of March 7.] 

As of March 1, the site owner of judyrecords has voluntarily disabled all searches of its database, “out of an abundance of caution.”

The State Bar Court portal remains unavailable until further notice. We are working with Tyler Technologies to restore public access as soon as possible. [3/15 update: the portal is back online.]

Tyler Technologies has posted an FAQ in its online customer community regarding the underlying technical issues that resulted in the breach of confidential information.

We are continuing to work with the site owner of judyrecords to get specific information about the confidential State Bar records viewed before the site was disabled. 

February 28, 2022

The State Bar has continued its investigation with the help of an IT security firm, and has also been in contact with the owner of the judyrecords site, who has been very responsive and collaborative. It is now the State Bar’s belief that there was no malicious “hack” of its system. Instead, it appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords when they attempted to access the public records, using a unique access method. The State Bar is working with Tyler Technologies, the maker of the Odyssey system, to remediate the security vulnerability, which we believe may not be unique to the State Bar’s implementation and could impact other users of Odyssey systems.

The State Bar and the owner of the judyrecords site are working together to ensure that nonpublic State Bar records are permanently purged from the site and that State Bar public records can be made available on the site.  

“Our obligation and responsibility are to the respondents and witnesses whose nonpublic information may have been shared, and again I apologize to them for this breach,” said Leah Wilson, State Bar Executive Director. “We have confirmed that this was not a hack, but rather an access vulnerability problem with our Odyssey system. We thank judyrecords for quickly removing the files and look forward to similarly working expeditiously with Tyler Technologies to take the necessary steps to address this issue.”  

February 27, 2022

As of late Saturday night, it appears that all State Bar records, confidential and public, have been removed from the site, with a note confirming this on the site. We are continuing to investigate.

Background

On February 24, 2022, the State Bar learned that a public website that aggregates nationwide court case records was displaying limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. [These figures have since been updated on further investigation; please see March 14 update above.] The site also appears to display confidential court records from other jurisdictions. The nonpublic case profile data from the State Bar displayed on this public website included case number, file date, case type, case status, and respondent and complaining witness names. It did not include full case records. 

Read our full news release here.

Updates will be added to this webpage as they become available.

Frequently Asked Questions

When did the State Bar first learn about the breach of nonpublic information?

On February 24, 2022, the State Bar learned that an external public website that aggregates nationwide court case records was able to access and display limited profile data on about 260,000 nonpublic State Bar attorney discipline case records. The nonpublic records available on the site do not include detailed State Bar case records, but they do display case numbers, file dates, case types, case status, and respondents and complainant names.

The State Bar deeply apologizes to anyone impacted by this breach, and we are doing everything in our power to get to the bottom of it and prevent any future harms.

Who first notified the State Bar about the website?

A complaining witness brought the website to the attention of an investigator from the Office of Chief Trial Counsel, who in turn alerted their supervisor.

Was this a hack? And how did this happen?  

As of Monday, February 28, it is the State Bar’s belief that there was no malicious “hack” of its system. Instead, it appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords when they attempted to access public records.

The site owner claims that the State Bar’s confidential and public case records were all previously available at a public URL. Is this true?

The State Bar Court website allows the public to search for publicly available case information. The URL mentioned by the site owner was never used by the public and never intended for public access searches.

The State Bar has continued its investigation with the help of an IT security firm and has also been in contact with the owner of the site. As noted above, it appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords when they attempted to access public records

How long were the records available?

Statistics provided by the site owner indicate that State Bar records and information were available on the judyrecords site from October 15, 2021, to February 26, 2022.

The judyrecords site mentions that the number of affected cases is less than 1,000. What does that mean?

The comment refers to the site owner’s estimate of pageviews of all State Bar case records, public and nonpublic, during entire initial period they were posted. The State Bar is working to confirm this information. [The State Bar has investigated and updated this figure, please see March 14 update, above.]

What is the State Bar doing about this?

The State Bar is taking all necessary steps to address and correct this matter. So far, we have:

  • Retained a team of IT forensics experts to assist in our investigation. 
  • Tasked our case management system software vendor, Tyler Technologies, to investigate and remediate any issues in their Odyssey case management software or this specific implementation of it. 
  • Contacted the website’s hosting provider, OVH Hosting, Inc in Montreal, Canada, and domain name registrar godaddy.com requesting that the confidential data be immediately taken down.
  • We have been in contact with the site owner and are working with them to permanently purge the nonpublic records so that State Bar public records can again appear on the site.
  • We submitted a report on the vulnerability to CVE, an international, community-driven effort to identify, define, and catalog cybersecurity vulnerabilities.
  • We engaged cyberlaw experts Cooley LLP to advise the State Bar on strategic follow-up actions. 
  • We are in the process of notifying those whose names or other information appeared in the confidential records.

What should anyone concerned that their name appears on this website do? 

As of late Saturday, February 26, all State Bar records appear to have been removed from the site. As of March 1, the site owner disabled all search capabilities on the site, for all records it contains nationwide, “out of an abundance of caution."

Is the State Bar the only public agency impacted by this?

We believe the issue is broader than the State Bar, because it appears that confidential records from other jurisdictions are appearing on the site as well. The judyrecords site owner lists what they believe are the affected jurisdictions here. According to this webpage from Tyler Technologies, all potentially affected client Odyssey Portals were repaired as of April 21, 2022.