April 19, 2022
As of April 2, 2022, 99% of potentially affected client Odyssey Portals have been remediated. The remediation for each client is unique and based on individual configurations and preferences. We are optimistic that we will reach 100% remediation soon.

We continue to work cooperatively with judyrecords.com on behalf of our clients to best understand what nonpublic data, if any, may have been made available via the judyrecords.com site. Tyler has developed a process to facilitate our clients' investigations and we continue to make resources available to streamline such process for all stakeholders.

In addition, Tyler is coordinating with multiple third-party security firms, including Mandiant, on this active investigation. While a complete forensic analysis is still underway, we are pleased to have nearly all potentially affected Odyssey Portal users remediated and live.

March 21, 2022 
Remediation efforts and the security of our clients’ data remain Tyler’s top priorities. Our cross-functional internal team along with our third-party security firms have been working continuously on behalf of our clients since this matter was first identified. We are committed to working in a forensically sound, responsible manner.

As of March 21, 2022, over 80% of potentially affected client Odyssey Portals have been remediated and are back online. Our support team continues to work with remaining clients on remediation based on their individual configurations and scheduling preferences.

Tyler is working with and on behalf of our clients to best understand what nonpublic data may have been made available through a judyrecords.com search, if any, and what data may have actually been viewed via the judyrecords.com site, if any. We understand from judyrecords.com that they have the ability to both identify what data was harvested and what was accessed while on their site and, thus, judyrecords.com’s continued cooperation is extremely important.

For those clients where judyrecords.com has provided the full data, Tyler has worked to help our clients fully assess the harvested information and identify what may have been viewed or accessed while on this third-party site. Tyler will continue acting as an intermediary between these clients and judyrecords.com to ensure that all nonpublic information has been removed from this third-party site. We look forward to judyrecords.com’s continued cooperation in this effort.

March 8, 2022 
On Feb. 24, 2022, Tyler Technologies was notified by the State Bar of California that nonpublic case record data was posted to judyrecords.com. Judyrecords.com is not associated with the State Bar of California or Tyler. Tyler immediately launched an extensive investigation.

Based on our research to date, it appears that judyrecords.com regularly conducts data harvesting to make public records available through an online search tool. During judyrecord.com’s harvesting activity, it appears that certain public and nonpublic case records were accessed by judyrecords.com via the State Bar of California’s Odyssey Portal and made available for search on the judyrecords.com site. Tyler confirmed this activity did not involve access to the State Bar’s Odyssey case management system and was contained to its public-facing Odyssey Portal.

On Feb. 28, 2022, Tyler learned that judyrecords.com may have performed data harvesting activity on the Odyssey Portals of other Tyler clients, and may have made certain nonpublic data of other Tyler clients available for search online as well. Tyler quickly contacted clients that have an installation of Odyssey Portal identified as potentially affected and provided recommendations for containment, including the option of taking their portal offline and similar mitigation steps.

The data harvesting activity surfaced a vulnerability in the Odyssey Portal that is being addressed through intensive efforts by the Tyler team in coordination with our clients. Clients use the Odyssey Portal to provide access to public case records, but also may authorize and grant access to approved third parties to access nonpublic case records. Tyler is working with clients to make sure that only authorized parties can access nonpublic case records.

On March 4, 2022, judyrecords.com confirmed to Tyler that they had performed data harvesting on the Odyssey Portals of other Tyler clients and had information that could assist in identifying the exposed nonpublic records. Please see the steps below for more information.

1. The issue is of utmost concern to Tyler. Tyler’s first priority is working with our clients to (1) ensure the security of their data, and (2) remediate the issue as soon as possible so our clients can continue to use Odyssey Portal to serve their constituents. 

2. We are gathering as much information as possible to determine what type of data was accessed and whose nonpublic data may have been made available through a judyrecords.com search. We are committed to sharing our findings with our clients and taking appropriate actions to ensure security of client data.

3. Tyler and judyrecords.com are currently coordinating with each other to identify other potentially impacted Tyler clients. The operator of judyrecords.com has indicated a willingness to share detailed information that will assist Tyler in determining which client data was involved. Tyler acknowledges and appreciates that judyrecords.com has taken steps to contain further disclosure of nonpublic information. We acknowledge judyrecords.com takes the position that the accessing and disclosure of nonpublic information by judyrecords.com was inadvertent. 

4. Tyler has been receiving and will continue to work to receive information from judyrecords.com and from Tyler’s clients in a forensically sound manner to assist with the investigation. Tyler has engaged our outside security team, Mandiant, to assist with this work. Tyler looks forward to continuing to work cooperatively with judyrecords.com and with our potentially impacted clients to ensure a full investigation is completed and all nonpublic information remains confidential.   

• On Feb. 24, 2022, Tyler learned that the State Bar of California’s nonpublic case record data was posted to judyrecords.com.

• On Feb. 28, 2022, Tyler learned that judyrecords.com may have also performed data harvesting activity on the Odyssey Portals of other Tyler clients and had potentially posted nonpublic data of other Tyler clients online as well. This activity was confirmed by judyrecords.com on March 4, 2022.

• Tyler quickly notified potentially affected Odyssey Portal clients and provided recommendations for containment, including the option of taking their public-facing Odyssey Portal offline.

• Judyrecords.com's data harvesting activity involved only certain public-facing Odyssey Portal installations. It did not involve nonpublic-facing Odyssey Portal installations or Odyssey case management systems. 

• Between March 2 and March 18, 2022, Tyler held eight webinars for Odyssey Portal clients to explain what we know about the judyrecords.com activity, the scope of its impact, and the steps clients can take to remediate and/or mitigate a data harvesting risk on their Odyssey Portal deployment.

• The Tyler team invited all potentially affected clients to multiple online webinars to explain the issue and direct them to resources for more information. 

• Tyler’s support team has posted recommended actions and instructions on Tyler’s community platform, and these are being updated regularly.  

• Tyler has dedicated additional staff and resources to research and mitigate this matter. 

• Tyler has engaged Mandiant, a third-party security forensic company, to support Tyler’s investigation of this issue.