Cyber Incident Victim: Florida Bar Association
Date:
Sep 2016
Location:
United States of America
Summary
The Florida Bar Association experienced unauthorized access to its systems, resulting in the exposure of member data including email addresses, phone and fax numbers, mailing addresses, and disciplinary records. Hackers associated with a former law enforcement official claimed to have obtained the entire database, demonstrating access to approximately 260,000 records via a web application vulnerability related to insecure JSON outputs. While the organization asserted no breach occurred, maintaining that the information constituted public records, cybersecurity experts characterized the incident as a compromise due to the mass extraction method bypassing legitimate public access protocols. The attackers publicly released analyzed datasets and provided technical evidence of the exploit.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 22, 2016, hackers associated with a former Palm Beach County Sheriff’s Office deputy breached the Florida Bar Association’s systems, exfiltrating and publicly leaking extensive member data. The attackers claimed to have accessed the association’s entire database, publishing detailed records including 158,385 email addresses, 219,139 office and cell phone numbers, 84,772 fax numbers, and 226,928 mailing addresses. Additionally, disciplinary files containing bar complaint histories were analyzed and ranked, exposing sensitive professional information about members. The hackers attributed the breach to vulnerabilities in the association’s JSON outputs, using explicit language to criticize their security practices. While the Florida Bar’s website experienced downtime coinciding with the attack, no initial breach notification was posted, and the organization did not respond to DataBreaches.net’s initial inquiries prior to publication. The leaked data encompassed records for 102,783 members, including both active practitioners and those ineligible to practice law in Florida.
The Florida Bar Association denied server compromises in multiple statements, asserting all leaked information constituted public records under state law. Cybersecurity experts contested this characterization, with CSO’s Steve Ragan clarifying that bulk extraction via application vulnerabilities constituted unauthorized access—a hack—rather than legitimate public records retrieval. The hackers provided DataBreaches.net with an MP4 file demonstrating their ability to access 259,969 records, though the outlet hesitated to publish it due to exploitation concerns. Despite the association’s request to remove coverage of the incident, media outlets maintained the event qualified as a breach given the non-standard acquisition method. The exposure of disciplinary records generated particular concern among members, as this information, while technically public, was not routinely aggregated or analyzed in such accessible formats. No containment measures or technical remediations were disclosed by the Bar Association in available communications.