Applicants say a DC Bar website bug exposed their personal data and background checks
Sept. 30, 2020
Lawyers applying for a license to practice law in Washington, D.C., say a security lapse by the bar association exposed their application files, including their government-issued IDs and background checks.
Applicants said the District of Columbia Bar, which oversees the admissions and licensing for lawyers practicing in the U.S. capital, was storing the applications in an unprotected directory on its website.
The DC Bar did not respond to multiple emailed requests and a voicemail requesting comment prior to publication.
The security lapse was first disclosed in an August 26 email, obtained by TechCrunch, by an unnamed whistleblower who said they “reported this issue on three separate occasions” to the DC Bar, but that their email was not returned nor was the issue fixed. The email said that documents contained personal information like names, phone numbers, and email addresses, as well as Social Security number, the applicant’s full employment history, previous home addresses, and any disciplinary records.
The whistleblower said they began notifying news outlets “in a good faith effort to notify affected users and ensure the issue is fixed.” TechCrunch obtained the email from a pseudonymous Twitter account that goes by the handle Bar Exam Tracker.
The email said that the security lapse meant that applicants could still access their uploaded application files from the DC Bar website, even after they logged out. But because the application files followed a consistent naming scheme, anyone could access the application files of other applicants by incrementally changing the web address.
“The documents are publicly accessible merely by opening their addresses in a web browser, and are not protected by any authentication system,” the whistleblower’s email wrote.
Word of the security lapse quickly spread among some bar applicants. Two applicants, who agreed to be quoted but asked not to be named for fear of retaliation, told TechCrunch that they were able to access their application files after they had logged out.
“We did take some steps to verify it,” said one applicant, referring to the claims in the whistleblower’s email. “A colleague and I both were able to access our documents while not logged into the system through a new browser.”
“Several of us tried it, myself included, and found that it worked,” said another applicant.
The applicants also reported the issue to the DC Bar. Soon after, a notice on the application site said the DC Bar was “investigating some technical issues,” and asked applicants not to upload any files.
The security lapse was subsequently fixed, but the applicants say that the DC Bar has not yet disclosed the security incident.
“Truly can’t believe the bar didn’t notify us of the issue,” one of the applicants said.
A spokesperson for the Office of the Attorney General for the District of Columbia would not say if the DC Bar had notified the office of the security lapse.
Stop saying, ‘We take your privacy and security seriously’ when you don’t.
O F F I C E O F D I S C I P L I N A R Y C O U N S E L
Due to the limited capabilities of our Office at this time, there will be a delay in our receipt of regular mail. We do not accept correspondence by email in a preliminary, undocketed investigation. You may contact the undersigned at (202) 454-1745. It may take up to three business days to return your call. We appreciate your patience during this time.
August 4, 2020
Joanna Burke Kajongwe@gmail.com
Dear Mr. and Mrs. Burke:
Re: Rose Smith/Burke, Burke Undocketed No. 2020-U481
This Office has completed its review of the disciplinary complaint that you filed against Sabrina Rose-Smith, Esquire.
You state that Ms. Rose-Smith is an attorney with Goodwin Proctor, LLP, and that her law firm represents Ocwen Financial Corporation in Case No. 9:17-cv-80495 before the United States District Court for the Southern District of Florida.
You filed a motion to intervene in this matter. You claim that Ms. Rose- Smith “knowingly committed perjury and withheld evidence” in connection to your attempts to become a party to the case.
We reviewed the computer docket sheet and the court’s response to your motion to intervene. By order dated May 30, 2019, the court denied your motion, explaining that
(1) you failed to meet the requirements for intervention of a matter of right because you did not demonstrate that your interests would be harmed by the outcome of the case and
(2) it would not grant permissive intervention because doing so would introduce facts not in issue. The court denied your motion to reconsider and you appealed its decision to the Eleventh Circuit.
Upon review of this information, we decline to open a formal investigation of this matter.
You have raised your concerns regarding the truthfulness of Ms. Rose-Smith’s statements to the U.S. District Court for the Southern District of Florida and the Eleventh Circuit.
The court exercised its discretion in declining your participation in the case.
We will not interfere with the court’s decision in this matter by investigating the facts you allege.
To the extent that Ms. Rose- Smith argued that your statements lacked merit, this was a legal argument, not a factual allegation that may be considered a misrepresentation.
Therefore, although we appreciate your concerns, we decline to open a formal investigation of this matter and this file is now closed.
Angela Walker Staff Attorney