Law360 (September 8, 2020, 9:30 PM EDT) -- More than 50 people waiting to take the Pennsylvania bar exam online in October asked the state attorney general to investigate the security of exam administrator ExamSoft Inc. on Tuesday, saying many applicants saw attempts from third parties to use their personal information soon after they downloaded the company's software.
In a letter to Pennsylvania Attorney General Josh Shapiro's office, the future test takers said they saw a sudden surge in reports of compromised passwords and fraudulent use of their personal information in the days after they downloaded ExamSoft's software. They asked the attorney general to look into whether the company's promise that their data was secure was unfair or deceptive under the state's Unfair Trade Practices and Consumer Protection Law.
"Pennsylvania bar applicants began to express concerns about the security of their personal data, including bank account login information, almost immediately after ExamSoft software became available for download on September 1, 2020," the letter said. "We request that the Bureau of Consumer Protection investigate why bar applicants who downloaded ExamSoft experienced data breaches and whether ExamSoft's data security measures are adequate to protect its users' data."
The letter expressed other concerns about the company's security and handling of sensitive personal data, including ExamSoft features that collect personal information that could be exploited if stolen; "access codes" it sent to users that were merely the state's abbreviation and the last four digits of the applicant's Social Security number; and a proctoring program that enables audio and video monitoring of test takers.
Pennsylvania postponed its summer sitting of the bar exam and moved the fall exam online in July. It is scheduled to take place over three days starting Oct. 5.
Dallas-based ExamSoft will be administering 22 jurisdictions' bar exams in October, including New York, California and Illinois, after two other providers approved by the National Conference of Bar Examiners dropped out, according to the letter. Extegrity withdrew over "insurmountable logistical problems," and ILG Technologies pulled back over data breaches and technical failures prior to Florida's exam in August, the letter said.
The letter said ExamSoft was already targeted by a distributed denial-of-service attack when it was administering the Michigan bar exam in July, and could face worse in the weeks ahead.
"Based on the experiences of both Michigan and Florida, an attempted attack during the October exam — the largest test administration this year — appears likely," the letter said. "It is unclear what, if any, additional measures ExamSoft is taking to prevent a catastrophic data breach."
Within days of downloading ExamSoft's Examplify software platform, the letter said, many Pennsylvania users started noticing suspicious activity on their other accounts, including people using or attempting to use their passwords to access their accounts and make purchases. Users of Google's Chrome browser said they got alerts from a feature that notifies them when their stored passwords appear to have been compromised, the letter said.
"The morning after I downloaded the software, I got a notification from my bank telling me that someone had tried to access my online account, but had entered the wrong password," said one bar applicant who reported issues, according to an example in the letter. "I changed my password the week before, and had the old one saved to my account but not the new one."
ExamSoft released a statement Sept. 2 denying that there had been a data breach.
"This password notification alert is unrelated to Examplify download and use," the statement said. "Any appearance of this message popping up around the time an applicant is downloading the Examplify software is completely coincidental. ExamSoft applications do not store and do not have access to any password information on exam-taker devices."
ExamSoft also said it had not known that users' access codes were being generated from their Social Security numbers, the letter to the attorney general said.
The letter expressed other concerns with remote proctoring program ExamMonitor, which "continuously observes exam takers with video and audio monitoring throughout the entire exam," and was jointly developed by ExamSoft and ProctorU. But ProctorU reported in July that it had a data breach, and it may have been more extensive than the test-takers' records from 2014 that the company confirmed, the letter said.
Scott McFarland, CEO of ProctorU, said in a statement that it had no role in the issues the letter reported with ExamSoft.
"ProctorU has no data or information related to those taking the bar exam with ExamSoft in Pennsylvania or in any other jurisdiction," McFarland said. "Our role in the exam process is extremely limited and at no time do we know the name of the examinee, their school, state or have any data that could possibly be related to the issues raised in your article. Our capacity is similar to a review and advise role."
Representatives of the attorney general's office and ExamSoft did not immediately respond to requests for comment Tuesday.
"Bar applicants across the country want ExamSoft to take our privacy and data security concerns seriously," said Valerie Snow, a 2020 graduate of the University of Pennsylvania Law School and co-organizer of the letter. "So far, they haven't. We need our state consumer protection authorities to take action."
--Editing by Abbie Sarfo.
Update: This article has been updated with a response from ProctorU.
For a reprint of this article, please contact firstname.lastname@example.org.