Summary The California Bar said its confidential disciplinary records were available to the public online for more than four months

(Reuters) - The State Bar of California, which earlier said a "hack" led to a months-long online disclosure of 260,000 confidential attorney discipline cases, instead now blames the breach on an “unknown security vulnerability” in its own database.

Bar officials on Monday said an IT firm’s investigation of the data exposure found a vulnerability in its case management portal, maintained by outside vendor Tyler Technologies, that allowed an external court case aggregating website to sweep up attorney discipline records that are not supposed to be available to the public. That website, judyrecords.com, used a “unique access method” to pull the confidential records from its database and publish them, the bar said.

A representative for Tyler Technologies said Tuesday that the company is investigating the issue. A representative for judyrecords.com could not be reached.

Register now for FREE unlimited access to Reuters.com Register

“Our obligation and responsibility are to the respondents and witnesses whose nonpublic information may have been shared, and again I apologize to them for this breach,” California Bar executive director Leah Wilson said in a statement.

Wilson said the bar, which is responsible for licensing California attorneys and investigating those accused of wrongdoing, is working with judyrecords.com to remove all confidential attorney discipline data from the site.

The state bar said it was notified on Feb. 24 by a complaining witness in one disclosed case that confidential attorney discipline records were available on judyrecords.com, which purports to have more than 630 U.S. courts cases in its free database. The administrator of judyrecords.com, who runs the site anonymously, later confirmed to the bar that those confidential records had been available to users since Oct. 15, 2021 until they were taken down on Feb. 26.

Under California law, attorney discipline cases are confidential until formal charges are filed. The information on judyrecords.com included case numbers, file date, case types and names of respondents and complaining witnesses. It did not include full case records, according to the state bar.

“We thank judyrecords for quickly removing the files and look forward to similarly working expeditiously with Tyler Technologies to take the necessary steps to address this issue,” Wilson said.

Read more:

California Bar says 'hack' exposed 1,000s of attorney discipline cases

Calif. bar investigates itself over 'Real Housewives' husband Girardi

Register now for FREE unlimited access to Reuters.com Register

Reporting by Karen Sloan

Our Standards: The Thomson Reuters Trust Principles.