Lawyers applying for a license to practice law in Washington, D.C., say a security lapse by the bar association exposed their application files, including their government-issued IDs and background checks.
Applicants said the District of Columbia Bar, which oversees the admissions and licensing for lawyers practicing in the U.S. capital, was storing the applications in an unprotected directory on its website.
The security lapse was first disclosed in an August 26 email, obtained by TechCrunch, by an unnamed whistleblower who said they “reported this issue on three separate occasions” to the DC Bar, but that their email was not returned nor was the issue fixed. The email said that documents contained personal information like names, phone numbers, and email addresses, as well as Social Security number, the applicant’s full employment history, previous home addresses, and any disciplinary records.
The whistleblower said they began notifying news outlets “in a good faith effort to notify affected users and ensure the issue is fixed.” TechCrunch obtained the email from a pseudonymous Twitter account that goes by the handle Bar Exam Tracker.
The email said that the security lapse meant that applicants could still access their uploaded application files from the DC Bar website, even after they logged out. But because the application files followed a consistent naming scheme, anyone could access the application files of other applicants by incrementally changing the web address.
“The documents are publicly accessible merely by opening their addresses in a web browser, and are not protected by any authentication system,” the whistleblower’s email wrote.
Word of the security lapse quickly spread among some bar applicants. Two applicants, who agreed to be quoted but asked not to be named for fear of retaliation, told TechCrunch that they were able to access their application files after they had logged out.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“We did take some steps to verify it,” said one applicant, referring to the claims in the whistleblower’s email. “A colleague and I both were able to access our documents while not logged into the system through a new browser.”
“Several of us tried it, myself included, and found that it worked,” said another applicant.
The applicants also reported the issue to the DC Bar. Soon after, a notice on the application site said the DC Bar was “investigating some technical issues,” and asked applicants not to upload any files.
The security lapse was subsequently fixed, but the applicants say that the DC Bar did not disclose the security incident.
The DC Bar did not respond to multiple emailed requests and a voicemail requesting comment prior to publication. After we published, the DC Bar confirmed the security lapse in a statement and claimed that “the files of only one applicant” were improperly accessed.
A spokesperson for the Office of the Attorney General for the District of Columbia would not say if the DC Bar had notified the office of the security lapse.
Updated with a statement from DC Bar.
