By Andrea Lavelle
At the March 24th Board of Trustees meeting, Chief Administrative Officer Steve Mazer provided an update on the recent Odyssey case management system breach that exposed over 300,000 State Bar case records. Mazer gave an overview of the Bar’s initial response after it learned of the system vulnerability, as well as its efforts to investigate and remedy the breach.
On February 24, 2022, the Bar became aware that public and nonpublic State Bar case records appeared on judyrecords.com, a public website that aggregates nationwide court case records into a searchable database. Upon awareness of the breach, the Bar organized a response team of Bar staff, a third-party IT security firm of forensic investigators and security engineers, and the law firm Cooley LLP for legal assistance related to notifications to affected parties and potential remedies. The Bar also cooperated with Tyler Technologies, the company that makes the Odyssey case management portal. The preliminary investigation by Bar staff and the third-party IT firm showed exposure of 60,000 public and 260,000 nonpublic case records, and that the Odyssey portal was likely the source of the breach. Tyler Technologies confirmed that the Odyssey portal contained a vulnerability, and the portal was taken offline.
Within 48 hours of awareness of the breach, the Bar issued a press release and created a summary and FAQ webpage. After seeing media coverage of the press release, judyrecords.com took the records offline and contacted the Bar to help resolve the issue. In the subsequent two weeks, Tyler Technologies and the Bar’s third-party IT security firm continued to investigate to determine which nonpublic records had been posted and viewed on judyrecords.com. The number of records discovered to have been exposed was more than originally thought. Mazer presented the current number of confirmed posted records as 47,964 public and 322,525 nonpublic records, 188 of which contained personal information. Of the records posted, 60 public and 1,034 nonpublic records were viewed, including six that contained personal information. The information and cooperation from Tyler Technologies and judyrecords.com led the Bar to conclude that the breach was unintentional and that the Odyssey vulnerability caused nonpublic records to be accessed by judyrecords.com when it tried to obtain public records.
On March 15, 2022, the Bar’s case management portal was brought back online for public records access, after the Bar’s IT staff and third-party IT firm installed Tyler Technologies’ security fix. In addition to continuing the periodic security assessments regularly conducted prior to the breach, the Bar will add IT security reviews assisted by the third-party IT firm hired as a result of the breach.