State Bar of California addresses breach of confidential data

209 点作者 borepop大约 3 年前

11 条评论

danso大约 3 年前

According to this LA Times [0] story, the records were apparently found on judyrecords.com, a project recently discussed in a Show HN [1]> State Bar officials learned about the posted records on Feb. 24. As of Saturday night, all the confidential information that had been published on the website judyrecords.com — which included case numbers, file dates, information about the types of cases and their statuses, respondent and complaining witnesses names — had been removed, officials said.> ...Full case records were not published. Officials said they don’t know whether the published information was the result of a hacking incident. Judyrecords.com is a website that aggregates nationwide court case records.edit: The "Info" link [2] on judyrecords.com has updates related to this event. It asserts that the confidential data was available on the CA Bar's own website:> These records were all (confidential & non-confidential) previously publicly available at <a href="https://discipline.calbar.ca.gov" rel="nofollow">https://discipline.calbar.ca.gov</a> (now offline).[0] <a href="https://www.latimes.com/california/story/2022-02-27/california-bar-investigates-possible-data-breach-after-discipline-records-published-online" rel="nofollow">https://www.latimes.com/california/story/2022-02-27/californ...</a>[1] <a href="https://news.ycombinator.com/item?id=30399881" rel="nofollow">https://news.ycombinator.com/item?id=30399881</a>[2] <a href="https://www.judyrecords.com/info" rel="nofollow">https://www.judyrecords.com/info</a>

评论 #30503135 未加载

评论 #30502331 未加载

reset-password大约 3 年前

Why is it so impossible for these people/organizations to accept that they made a mistake and own up to it? The entire response by the State Bar of California is nothing but a deflection of blame that rests solely on themselves and their chosen vendor(s).What are they going to do next, call Missouri's governor and ask for the playbook to follow? The humans behind the scenes at the bar are looking incredibly pathetic here.

评论 #30504221 未加载

评论 #30503109 未加载

评论 #30504890 未加载

评论 #30511470 未加载

评论 #30504473 未加载

评论 #30507655 未加载

评论 #30503124 未加载

ejb999大约 3 年前

Doesn't sound like a breach to me - sounds like the state bar association inadvertently gave out the information, and now they are looking for someone to blame - someone else that is.

评论 #30502334 未加载

cyral大约 3 年前

> We apologize to anyone who is affected by the website’s unlawful display of nonpublic dataSounds like Missouri teachers SSN leak again... The website that judyrecords scraped, discipline.calbar.ca.gov, contained all of these "nonpublic" records for anyone to see.

评论 #30502890 未加载

adolph大约 3 年前

Apparently the State Bar has been breaking the law.The State Bar announced today that it is taking urgent action to address a breach of confidential attorney discipline case data that it discovered on February 24. A public website that aggregates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with about 60,000 public State Bar Court case records. The site also appears to display confidential court records from other jurisdictions.Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted.The nonpublic case profile data from the State Bar appears to have been displayed on this public website in violation of this statute. It includes case number, file date, case type, case status, and respondent and complaining witness names. It does not include full case records. We do not yet know how many attorney or witness names were disclosed.

评论 #30502585 未加载

tossitafter大约 3 年前

I used judyrecords to check myself after it was posted here. I had a charge from over a decade ago listed as a felony that had been reduced to a misdemeanor. The state system shows as a misdemeanor. I paid good money to an attorney for a misdemeanor. I'm not sure why judyrecords shows it as a felony, and it has me wondering about the effectiveness of my legal defense.edit: If you're wondering if I'm a hardened criminal with a wake of victims left behind, the answer is no. I was 22 and got caught in the midwest with an ounce and a half of cannabis. This website, as far as I'm concerned, is displaying inaccurate information about me that that could have serious negative consequences for myself.

评论 #30504628 未加载

gnicholas大约 3 年前

On a related note, the California Bar website employs dark patterns that mislead members into paying inflated annual dues.When you renew your membership, there are a variety of addon payments you can opt into by checking boxes for these items. Then, on a later page, there are various addon payments that you have to opt out of.Making things even trickier, these aren't pre-checked boxes, which might lead the user to realize he needs to uncheck them. Instead, there is a list of "adjustments" with a dropdown menu for each. The dropdown defaults to "none", which would lead users to think that they are not paying for an extra item. But when you click on the dropdown, you see the option to "deduct $x" if you don't want to pay the additional fee.I've never seen a dark pattern like this anywhere else. Perhaps the folks who run the calbar website could spend less time finding ways to trick members into overpaying and more time securing private information.

评论 #30504511 未加载

评论 #30506689 未加载

rahimnathwani大约 3 年前

"Under California Business and Professions Code 6086.1(b), all disciplinary investigations are confidential until the time that formal charges are filed, and all investigations are confidential until a formal proceeding is instituted."Does this part of the code apply to everyone, or only the folks in charge of the investigations, or in charge of safeguarding the information?If someone is in a bar and overhears a Bar employee talking loudly about an investigation, do they have a legal duty to keep what they heard confidential?

评论 #30509046 未加载

user3939382大约 3 年前

This is probably a stupid question to those who work with these concepts often: can all the user data in the DB be hashed with the user’s password so that nothing is gained from a breach? Is this mostly a CPU resource problem or would would jwt architecture preclude that from working? (I haven’t built auth systems for several years)

评论 #30502295 未加载

评论 #30502716 未加载

评论 #30502298 未加载

评论 #30502251 未加载

评论 #30502567 未加载

评论 #30502243 未加载

评论 #30502255 未加载

bastardoperator大约 3 年前

Surprised this site isn't managed by CDT (<a href="https://cdt.ca.gov/" rel="nofollow">https://cdt.ca.gov/</a>)

jahewson大约 3 年前

> We take our obligations to protect confidential data with the utmost seriousnessReally?