The California State Bar’s case access portal did not perform access control checks before returning confidential case data, resulting in the disclosure of confidential records, the administrator of the open-records site at the center of February’s data leak wrote.
Tyler Technologies, which manages the portal, corrected the vulnerability, the State Bar said March 15, when they announced the public records portal had been restored.
judyrecords published limited information about 322,000 State Bar disciplinary cases from Oct. 15 to Feb. 26, the State Bar said. Of those, only 1,034 have been viewed. The Bar announced the breach Feb. 24.
The company also provides technology to San Bernardino Superior Court.
“We have confirmed that this was not a hack, but rather an access vulnerability problem with our Odyssey system,” said Leah Wilson, State Bar executive director, in a Feb. 28 update. “We thank judyrecords for quickly removing the files and look forward to similarly working expeditiously with Tyler Technologies to take the necessary steps to address this issue.
judyrecords automatically gathers case information from courts’ public access portals across the country.
“It’s one of those things that almost doesn’t compute, honestly. A security measure so fundamental, and without which the system can’t even be called secure. There’s no buildup or grand reveal on the technical side of things, if you were hoping for one,” judyrecords’ administrator wrote on the website March 18. Follow Our Courts identified the administrator as Richard Barosky.
The access control check would have confirmed that the user requesting the information had the authorization from the State Bar to access the information before the portal delivered it. Without the check, anyone who had the correct url would have been able to access confidential records, Barosky wrote.
Barosky was able to guess URLs that led directly to case records by finding information in public docket aggregators, he wrote. He did not believe that any confidential records would be available with a direct search, and believed all of the records he was gathering were public, he wrote.
State Bar and the First Amendment Coalition
The State Bar said that judyrecords violated California’s Business and Professions Code Section 6086.1(b) by publishing the information, and that they contacted law enforcement, two statements they later walked back. The First Amendment Coalition wrote a public letter to the State Bar, saying that the Bar’s statement amounted to veiled threats that “exert an improper chilling effect on protected speech.” The disclosure, not the publication, of confidential information is illegal.
“If the State Bar defaulted on its duty to avoid public disclosures of otherwise confidential information, it may have violated its own rules and procedures, but it may not make veiled threats against the publisher of such information absent any evidence that the publisher acquired the information unlawfully,” wrote David Loy, First Amendment Coalition legal director.
The State Bar thanked the First Amendment Coalition for telling them they were incorrect and did not alert law enforcement.
Cleanup
Barosky suspended the search function on his website and worked with the State Bar and Tyler Technologies to diagnose the issue. Tyler Technologies shut down their portals across the country.
The State Bar retained Cooley LLP to advise them on the breach.
Barosky wrote that, with the national coverage of the issue, the prior coverage by Follow Our Courts was the least biased reporting on the issue.
judyrecords holds 637.4 million cases, and claims to be the largest search engine of United States court cases on the internet.
Barosky created the site as a public records idea in 2014, according to a YouTube video he posted in October, 2020.
Barosky’s Reddit account, which posted the video of the code development, has been actively commenting about judyrecords’ technical development for the past two years.
His update ended on the request that Tyler Technologies remove nonpublic cases from docket aggregators, and that they reform their portal design to increase access to public records.
