Calif. Bar Leak Reveals Wider Exposure Of Court Records

By Brandon Lowrey | March 1, 2022, 11:35 AM EST ·

Thousands of confidential or restricted records leaked from courts across the nation appear to have been published online, Law360 has found, with several affected courts confirming they use popular case management software recently alleged to have a security flaw.

Restricted documents from some jurisdictions that use Tyler Technologies' Odyssey case management system have appeared on a public records search engine, according to court officials. (AP Photo/LM Otero)

Restricted documents from some jurisdictions using Tyler Technologies Inc.'s Odyssey case management system appeared on a public records search engine, including case information about juvenile-court defendants and other records that are not supposed to be viewable online if at all, court officials said.

"We are extremely alarmed and are investigating this issue right now," Forsyth County, Georgia, Court Clerk Greg. G. Allen said after Law360 reached out. Details about thousands of the county's juvenile cases appeared to have been published on the site, judyrecords.com.

The discovery of the widespread data leak comes a day after the State Bar of California, which uses Odyssey, announced that as many as 260,000 of its confidential attorney discipline records had appeared on judyrecords.com. The records have since been removed, but the Bar said Monday night that the Odyssey system had a "previously unknown security vulnerability" that may have affected other systems.

Odyssey has been adopted by courts and justice agencies in seven countries and 28 U.S. states, according to the developer's website. It was unclear how many may be affected.

A Tyler Technologies spokesperson told Law360 on Tuesday morning that the company is investigating. On Sunday night, Tyler Technologies had told Law360 that it was not aware of any affected Odyssey users besides the State Bar of California.

This week, Law360 searched judyrecords.com and uncovered dockets with detailed information about minors that, in some affected jurisdictions, is normally restricted or confidential. The information included the names of defendants. In several cases, it also listed their birth dates, criminal charges and sentencing information.

Public access to juvenile criminal case records varies by state. Some states keep the records public but restrict who can view them and where.

In New Mexico, court officials said juvenile criminal dockets are not typically accessible online through their Odyssey system, even to law enforcement officials, and must be viewed in person at a courthouse. However, thousands of the state's juvenile case dockets have been published to judyrecords.com. Some appeared to be marked as sealed.

The website also had docket sheets for numerous cases from several Odyssey-equipped county courts in the state of California, which has even stricter controls on access to juvenile records. Those records were not available in searches on the courts' websites.

Riya Saha Shah, managing director of the Juvenile Law Center, said that the leak of these records could cause substantial harm to people in many jurisdictions who had juvenile records.

"This is the information age, right? The first thing we do when we meet somebody is we Google them," she said. "If a prospective employer Googles an adult's name and this record of something that happened decades ago is coming up, that creates a perception of who the person is, and what we argue is not an accurate portrayal of who a person is."

Officials with some jurisdictions told Law360 late Monday that they were shocked to see the records online but declined to speak on the record immediately. Others did not immediately respond to requests for comment.

The administrator of judyrecords.com did not respond to messages left by Law360. However, two hours after this article was initially published, the website's search function was disabled, and its information page said it had removed access to the cases it had indexed "out of an abundance of caution."

About 260,000 nonpublic disciplinary files from the State Bar of California appeared on judyrecords.com over the weekend, prompting the Bar to announce that a "data breach" had occurred. Initially, the Bar said it may have been hacked. But by Monday night, officials said they believed there was a problem with the Odyssey system.

"Instead, it appears that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords when they attempted to access the public records, using a unique access method," the Bar said on its website. "The State Bar is working with Tyler Technologies, the maker of the Odyssey system, to remediate the security vulnerability, which we believe may not be unique to the State Bar's implementation and could impact other users of Odyssey systems."

--Editing by Brian Baresch.

Update: This article has been updated to note that judyrecords.com had disabled its search function and removed access to case files.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!