DC Bar exam site bug exposed applicants' sensitive info, gov't IDs: report
'It’s a shame D.C. didn’t affirmatively disclose this,' a whistleblower Twitter account wrote
The Washington, D.C., Bar exam website had a bug that exposed applicants' sensitive information, including government-issued identification, according to tech news website TechCrunch.
Lawyers who were using the website to apply for licenses to practice law in the District told the outlet that they were able to access their application files even when they were logged out of their accounts and using different browsers due to a bug on the site.
D.C. Bar said in a statement Wednesday that it "identified a misconfiguration of the bar exam application software that it manages," and "within hours of learning of the risk, the D.C. Bar identified the root cause, rectified the issue, and completed the remediation by 6:00 pm on Friday, August 28, 2020."
One applicant told TechCrunch that several lawyers "did take some steps to verify" the issue. "A colleague and I both were able to access our documents while not logged into the system through a new browser," the applicant said.
Internal emails obtained by TechCrunch showed one whistleblower attempted to contact the District of Columbia Bar website "on three separate occasions" to alert them of the issue but never heard back.
One applicant, who goes by the Twitter handle of Bar Exam Tracker, shared the whistleblower's emails with TechCrunch and other news outlets "in good faith to notify affected users and ensure the issue is fixed," the outlet reported.
CYBERATTACK HOBBLES MAJOR HOSPITAL CHAIN'S US FACILITIES, STAFF FORCED TO USE PAPER RECORDS
"State bars [and] supreme courts are held to the HIGHEST standards of ethics [and] candor," the Bar Exam Tracker account wrote in a Wednesday tweet. "It’s a shame D.C. didn’t affirmatively disclose this. This IS NOT about ExamSoft. But I think it says something about whether applicants can trust bars/courts on data security."
GET FOX BUSINESS ON THE GO BY CLICKING HERE
After a number of lawyers began notifying the D.C. Bar of the bug, the website's application page displayed a notice that read, "Investigating some technical issues" and asked applicants not to upload new files, according to the outlet.
"The D.C. Bar found evidence that the files of only one applicant were accessed and provided that information to the D.C. Court of Appeals," D.C. Bar said in their statement. "The security of applicant and member data is of utmost importance to the D.C. Bar, which has industry-standard safeguards in place to continue to protect this information."