April 19, 2022
As of April 2, 2022, 99% of potentially affected client Odyssey Portals have been remediated. The remediation for each client is unique and based on individual configurations and preferences. We are optimistic that we will reach 100% remediation soon.
We continue to work cooperatively with judyrecords.com on behalf of our clients to best understand what nonpublic data, if any, may have been made available via the judyrecords.com site. Tyler has developed a process to facilitate our clients' investigations and we continue to make resources available to streamline such process for all stakeholders.
In addition, Tyler is coordinating with multiple third-party security firms, including Mandiant, on this active investigation. While a complete forensic analysis is still underway, we are pleased to have nearly all potentially affected Odyssey Portal users remediated and live.
March 21, 2022
Remediation efforts and the security of our clients’ data remain Tyler’s top priorities. Our cross-functional internal team along with our third-party security firms have been working continuously on behalf of our clients since this matter was first identified. We are committed to working in a forensically sound, responsible manner.
As of March 21, 2022, over 80% of potentially affected client Odyssey Portals have been remediated and are back online. Our support team continues to work with remaining clients on remediation based on their individual configurations and scheduling preferences.
Tyler is working with and on behalf of our clients to best understand what nonpublic data may have been made available through a judyrecords.com search, if any, and what data may have actually been viewed via the judyrecords.com site, if any. We understand from judyrecords.com that they have the ability to both identify what data was harvested and what was accessed while on their site and, thus, judyrecords.com’s continued cooperation is extremely important.
For those clients where judyrecords.com has provided the full data, Tyler has worked to help our clients fully assess the harvested information and identify what may have been viewed or accessed while on this third-party site. Tyler will continue acting as an intermediary between these clients and judyrecords.com to ensure that all nonpublic information has been removed from this third-party site. We look forward to judyrecords.com’s continued cooperation in this effort.
March 8, 2022
On Feb. 24, 2022, Tyler Technologies was notified by the State Bar of California that nonpublic case record data was posted to judyrecords.com. Judyrecords.com is not associated with the State Bar of California or Tyler. Tyler immediately launched an extensive investigation.
Based on our research to date, it appears that judyrecords.com regularly conducts data harvesting to make public records available through an online search tool. During judyrecord.com’s harvesting activity, it appears that certain public and nonpublic case records were accessed by judyrecords.com via the State Bar of California’s Odyssey Portal and made available for search on the judyrecords.com site. Tyler confirmed this activity did not involve access to the State Bar’s Odyssey case management system and was contained to its public-facing Odyssey Portal.
On Feb. 28, 2022, Tyler learned that judyrecords.com may have performed data harvesting activity on the Odyssey Portals of other Tyler clients, and may have made certain nonpublic data of other Tyler clients available for search online as well. Tyler quickly contacted clients that have an installation of Odyssey Portal identified as potentially affected and provided recommendations for containment, including the option of taking their portal offline and similar mitigation steps.
The data harvesting activity surfaced a vulnerability in the Odyssey Portal that is being addressed through intensive efforts by the Tyler team in coordination with our clients. Clients use the Odyssey Portal to provide access to public case records, but also may authorize and grant access to approved third parties to access nonpublic case records. Tyler is working with clients to make sure that only authorized parties can access nonpublic case records.
On March 4, 2022, judyrecords.com confirmed to Tyler that they had performed data harvesting on the Odyssey Portals of other Tyler clients and had information that could assist in identifying the exposed nonpublic records. Please see the steps below for more information.