Applicants say DC Bar exposed their personal data and background checks

Lawyers applying for a license to practice law in Washington, D.C., say a security lapse by the bar association exposed their application files, including their government-issued IDs and background checks.

Applicants said the District of Columbia Bar, which oversees the admissions and licensing for lawyers practicing in the U.S. capital, was storing the applications in an unprotected directory on its website.

The security lapse was first disclosed in an August 26 email, obtained by TechCrunch, by an unnamed whistleblower who said they "reported this issue on three separate occasions" to the DC Bar, but that their email was not returned nor was the issue fixed. The email said that documents contained personal information like names, phone numbers, and email addresses, as well as Social Security number, the applicant's full employment history, previous home addresses, and any disciplinary records.

The whistleblower said they began notifying news outlets "in a good faith effort to notify affected users and ensure the issue is fixed." TechCrunch obtained the email from a pseudonymous Twitter account that goes by the handle Bar Exam Tracker.

The email said that the security lapse meant that applicants could still access their uploaded application files from the DC Bar website, even after they logged out. But because the application files followed a consistent naming scheme, anyone could access the application files of other applicants by incrementally changing the web address.

"The documents are publicly accessible merely by opening their addresses in a web browser, and are not protected by any authentication system," the whistleblower's email wrote.

Word of the security lapse quickly spread among some bar applicants. Two applicants, who agreed to be quoted but asked not to be named for fear of retaliation, told TechCrunch that they were able to access their application files after they had logged out.

"We did take some steps to verify it," said one applicant, referring to the claims in the whistleblower's email. "A colleague and I both were able to access our documents while not logged into the system through a new browser."

"Several of us tried it, myself included, and found that it worked," said another applicant.

The applicants also reported the issue to the DC Bar. Soon after, a notice on the application site said the DC Bar was “investigating some technical issues,” and asked applicants not to upload any files.

The security lapse was subsequently fixed, but the applicants say that the DC Bar did not disclose the security incident.

The DC Bar did not respond to multiple emailed requests and a voicemail requesting comment prior to publication. After we published, the DC Bar confirmed the security lapse in a statement and claimed that "the files of only one applicant" were improperly accessed.

A spokesperson for the Office of the Attorney General for the District of Columbia would not say if the DC Bar had notified the office of the security lapse.

Updated with a statement from DC Bar.