A public records website inadvertently released 260,000 confidential attorney discipline documents due to a security issue within the California State Bar’s records management system, not as a result of a malicious hack, officials said Monday.
The State Bar, in what was initially described as a “breach”, first discovered Friday that judyrecords.com had released the confidential documents along with approximately 60,000 public court cases from the State Bar.
The state bar learned the documents were public after a person who complained about an attorney spoke to an investigator from his office of the chief prosecutor about the website judyrecords. Judyrecords removed the documents on Saturday.
Judyrecords initially released limited case profile information for approximately 260,000 non-public cases. The site owner provided the state bar with preliminary analytics data on its website traffic, showing that approximately 1,000 unique pages were viewed by the public.
“We are working closely with judyrecords to firmly identify cases that have actually been accessed,” the state bar said in an email.
“It is now the state bar’s belief that there was no malicious hacking of its system,” the agency said in a statement. “Instead, it appears that a previously unknown security vulnerability in Tyler Technologies’ Odyssey case management portal allowed non-public records to be inadvertently scanned by judyrecords when they attempted to access to public records, using a single access method. State Bar is working with Tyler Technologies, maker of the Odyssey system, to address the security vulnerability, which we believe may not be unique to the State Bar implementation and could impact d other users of Odyssey systems.
Tyler Technologies did not respond to a request for comment on Monday.
The State Bar and judyrecords work together to ensure that non-public records are permanently removed from the site and that public records remain available.
The State Bar Court website allows the public to search for publicly available case information. However, state law requires that all attorney disciplinary investigations remain confidential until formal charges are filed and legal proceedings are initiated.
Confidential documents released by judyrecords included case number, type, status, date of case, and names of respondents and complainant witnesses. Full case records were not displayed.
State Bar Executive Director Leah Wilson apologized for the security breach in the case management system.
“Our obligation and responsibility rests with the respondents and witnesses whose non-public information may have been shared,” she said in a statement. solve this problem.