According to this LA Times [0] story, the records were apparently found on judyrecords.com, a project recently discussed in a Show HN [1]<p>> <i>State Bar officials learned about the posted records on Feb. 24. As of Saturday night, all the confidential information that had been published on the website judyrecords.com — which included case numbers, file dates, information about the types of cases and their statuses, respondent and complaining witnesses names — had been removed, officials said.</i><p>> <i>...Full case records were not published. Officials said they don’t know whether the published information was the result of a hacking incident. Judyrecords.com is a website that aggregates nationwide court case records.</i><p>edit: The "Info" link [2] on judyrecords.com has updates related to this event. It asserts that the confidential data was available on the CA Bar's own website:<p>> <i>These records were all (confidential & non-confidential) previously publicly available at <a href="https://discipline.calbar.ca.gov" rel="nofollow">https://discipline.calbar.ca.gov</a> (now offline).</i><p>[0] <a href="https://www.latimes.com/california/story/2022-02-27/california-bar-investigates-possible-data-breach-after-discipline-records-published-online" rel="nofollow">https://www.latimes.com/california/story/2022-02-27/californ...</a><p>[1] <a href="https://news.ycombinator.com/item?id=30399881" rel="nofollow">https://news.ycombinator.com/item?id=30399881</a><p>[2] <a href="https://www.judyrecords.com/info" rel="nofollow">https://www.judyrecords.com/info</a>
Why is it so impossible for these people/organizations to accept that they made a mistake and own up to it? The entire response by the State Bar of California is nothing but a deflection of blame that rests solely on themselves and their chosen vendor(s).<p>What are they going to do next, call Missouri's governor and ask for the playbook to follow? The humans behind the scenes at the bar are looking incredibly pathetic here.
Doesn't sound like a breach to me - sounds like the state bar association inadvertently gave out the information, and now they are looking for someone to blame - someone else that is.
> We apologize to anyone who is affected by the website’s unlawful display of nonpublic data<p>Sounds like Missouri teachers SSN leak again... The website that judyrecords scraped, discipline.calbar.ca.gov, contained all of these "nonpublic" records for anyone to see.
Apparently the State Bar has been breaking the law.<p><i>The State Bar announced today that it is taking urgent action to address a breach of confidential attorney discipline case data that it discovered on February 24. A public website that aggregates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. The site also appears to display confidential court records from other jurisdictions.</i><p><i>Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted.</i><p><i>The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute. It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.</i>
I used judyrecords to check myself after it was posted here. I had a charge from over a decade ago listed as a felony that had been reduced to a misdemeanor. The state system shows as a misdemeanor. I paid good money to an attorney for a misdemeanor. I'm not sure why judyrecords shows it as a felony, and it has me wondering about the effectiveness of my legal defense.<p>edit: If you're wondering if I'm a hardened criminal with a wake of victims left behind, the answer is no. I was 22 and got caught in the midwest with an ounce and a half of cannabis. This website, as far as I'm concerned, is displaying inaccurate information about me that that could have serious negative consequences for myself.
On a related note, the California Bar website employs dark patterns that mislead members into paying inflated annual dues.<p>When you renew your membership, there are a variety of addon payments you can opt into by checking boxes for these items. Then, on a later page, there are various addon payments that you have to opt out of.<p>Making things even trickier, these aren't pre-checked boxes, which might lead the user to realize he needs to uncheck them. Instead, there is a list of "adjustments" with a dropdown menu for each. The dropdown defaults to "none", which would lead users to think that they are not paying for an extra item. But when you click on the dropdown, you see the option to "deduct $x" if you don't want to pay the additional fee.<p>I've never seen a dark pattern like this anywhere else. Perhaps the folks who run the calbar website could spend less time finding ways to trick members into overpaying and more time securing private information.
"Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted."<p>Does this part of the code apply to everyone, or only the folks in charge of the investigations, or in charge of safeguarding the information?<p>If someone is in a bar and overhears a Bar employee talking loudly about an investigation, do they have a legal duty to keep what they heard confidential?
This is probably a stupid question to those who work with these concepts often: can all the user data in the DB be hashed with the user’s password so that nothing is gained from a breach? Is this mostly a CPU resource problem or would would jwt architecture preclude that from working? (I haven’t built auth systems for several years)