Lawyers applying for a license to practice law in Washington, D.C., say a security lapse by the bar association exposed their application files, including their government-issued IDs and background checks.
Applicants said the District of Columbia Bar, which oversees the admissions and licensing for lawyers practicing in the U.S. capital, was storing the applications in an unprotected directory on its website.
The DC Bar did not respond to multiple emailed requests and a voicemail requesting comment prior to publication.
The security lapse was first disclosed in an August 26 email, obtained by TechCrunch, by an unnamed whistleblower who said they “reported this issue on three separate occasions” to the DC Bar, but that their email was not returned nor was the issue fixed. The email said that documents contained personal information like names, phone numbers, and email addresses, as well as Social Security number, the applicant’s full employment history, previous home addresses, and any disciplinary records.
The whistleblower said they began notifying news outlets “in a good faith effort to notify affected users and ensure the issue is fixed.” TechCrunch obtained the email from a pseudonymous Twitter account that goes by the handle Bar Exam Tracker.
The email said that the security lapse meant that applicants could still access their uploaded application files from the DC Bar website, even after they logged out. But because the application files followed a consistent naming scheme, anyone could access the application files of other applicants by incrementally changing the web address.
“The documents are publicly accessible merely by opening their addresses in a web browser, and are not protected by any authentication system,” the whistleblower’s email wrote.
Word of the security lapse quickly spread among some bar applicants. Two applicants, who agreed to be quoted but asked not to be named for