In a new report Wednesday from Techcrunch, lawyers applying to join the DC Bar revealed that the personal documents and data of thousands of DC Bar users were exposed in a security leak.
The security gap was discovered on August 26 by an unknown whistleblower who attempted to contact both the DC Bar and multiple news organizations to address the issue. The whistleblower revealed that significant personal information may have been compromised, including names, phone numbers, home addresses and social security numbers. This information is routinely collected by bar associations as part of their evaluations of applicants for licensure. According to the report, the security flaw did not require any significant technical expertise to exploit.
Under the DC Code § 28–3852(a), any person conducting business in DC involving electronic data is required to promptly notify DC residents if their data is known to have been exposed in a data breach. The DC Code also says under subsection (b-1) that the Attorney General of DC must be notified “in the most expedient manner possible, without unreasonable delay, and in no event later than when notice is provided under subsection (a) of this section,” if the data breach affects 50 or more DC residents.
The DC Bar which counts many members of Congress, lobbyists, and federal employees among its membership, has stated that they were informed of the issue on August 27 and corrected the issue by 6:00pm August 28. They have also stated that at this time they believe only one file was improperly accessed and that they have “industry standard safeguards in place to continue to protect this information.” They have not revealed anything more about their investigation or its conclusions.
This breach was revealed just five days before DC Bar applicants are set to take the online DC Bar Exam.