Michigan Blames Cyberattack for Online Bar Exam Woes, While Indiana Moves to Exam Via Email
Test takers and bar watchers have expressed skepticism that Michigan's exam was actually the victim of a cyberattack, speculating that the issue may have been the result of a poorly designed testing system that was overwhelmed at a critical moment.
July 29, 2020 at 01:46 PM
7 minute read
The temporary disruption to Michigan's online bar exam Tuesday was the result of a cyberattack, officials said. But some test takers and experts aren't buying that explanation, saying it's more likely that the website of the outside vendor administering the test was simply overwhelmed at a critical moment.
Law graduates and attorney licensing entities were closely monitoring Michigan's exam, as it's the first-ever online bar exam—a route an increasing number of jurisdictions are taking amid the COVID-19 pandemic. At least 22 jurisdictions plan to give online bar exams in August and October. The Indiana Supreme Court announced Wednesday that the remote bar exam it plans to give Aug. 4 will be open book and delivered via email after remote administration software it initially planned to use failed tests.
Some of the more than 700 people taking the Michigan exam were locked out of the second of five test modules for close to an hour Tuesday when they couldn't retrieve the password they needed to get into the exam. The Michigan Board of Bar Examiners said after the test ended Tuesday that the password problem was caused by a deliberate cyberattack, or a distributed denial of service (DDOS) on ExamSoft, the vendor Michigan used to administer the test. (DDOS attackers disable servers by overwhelming them with traffic.)
"The first hour-long module was completed without incident; however, prior to the start of the second module, ExamSoft experienced a distributed denial of service (DDOS) cyber-attack that prevented some test takers from accessing their passwords," according to a statement from the board. "After a short delay for some applicants, ExamSoft was able to successfully thwart this attack, and at no time was any test taker data compromised."
But there is mounting skepticism of that explanation, with some exam watchers saying that placing the blame on an outside cyberattack could be an attempt by vendor ExamSoft to cover up design flaws in its testing software. Casey Cheney, a 2020 graduate of Wayne State University Law School who took the exam, said that candidates were able to access the password for the first module of the exam 35 minutes ahead of time, allowing traffic to the password site to be spread out. But the password for the second module—where the problem arose—was released just five minutes ahead of time and the rush of test takers to the password site may have swamped ExamSoft's server, he said.
"It could have been a coordinated DDOS attack, but we have yet to see any evidence of that, nor have we seen what this attack was even trying to accomplish," Cheney said Wednesday. "We also know that this is the first time ExamSoft has ever hosted a remote online bar exam, that it was beta-testing the software for it in May, and that it has a track record of failing when lots of people try to use the system at once."
Dallas-based ExamSoft issued a statement Tuesday evening that it was the victim of a DDOS attack five minutes before the second module of the exam was due to start. The company said it's the first time it has been targeted by a DDOS at the network level.
"This was a sophisticated attack specifically aimed at the login process for the ExamSoft Portal which corresponded with an exam session for the Michigan Bar," the statement said. "At no time was any data compromised by this attack. ExamSoft was able to successfully thwart this attack, albeit with a minor delay."
Asked for further comment Wednesday, the company said it's focusing on ensuring the security of future bar exams.
"While we will be adding additional technology to significantly shorten or eradicate any delay or disruption from this type of attack in the future, our system worked as designed and stopped the attack promptly and appropriately without any comprise of data or any software corruption," it said in a prepared statement.
Vania Smith, a recent graduate of Catholic University of America Columbus School of Law, said it's unclear what motive cyberattackers would have to launch a DDOS attack on the bar exam.
"What's the goal?" said Smith, who is organizing advocates for an emergency diploma privilege in Washington, D.C. "Why would someone want to attack the password retrieval site? There seems to be no explanation as to why such an action would benefit anyone."
Cheney noted that the bar authorities in Michigan initially said the delay was due to a "technical glitch" and only blamed a DDOS after the exam had concluded. "This reads like a PR stunt to me," he said. "Rather than 'ill-equipped exam-proctoring company mishandles online bar exam,' it becomes 'exam-proctoring company thwarts cyberattack attempting to foil online bar exam, no data compromised.'"
Whether the problems were due to a targeted cyberattack or a poorly designed system, Michigan's bar exam should serve as a red flag to other jurisdictions planning online exams, said Tom McMasters, a technology and data privacy lawyer who has been tracking the move to online bar exams. ExamSoft should have tested its software to ensure its servers could handle the demand from bar takers, and also taken steps to ward off potential DDOS attacks, he said.
"This wouldn't be particularly encouraging to me as a state bar examiner planning who is planning an exam on Oct. 5 and 6, when many states are doing that," he said. "You either have not enough server capacity or a back end that was not well-designed. The other choice is that there was a denial of service attack, which is a well-known kind of attack that anyone putting a server on the internet needs to be able to defend themselves against."
McMasters noted that Indiana postponed its one-day online bar exam from Tuesday to Aug. 4 after a July 24 test by vendor ILG Technologies failed. ILG had held a mock exam with all test takers to see if its system would hold up. "It did not work, but I applaud them for doing that," he said.
But the Indiana Supreme Court ultimately decided Wednesday to abandon its plan for a remotely proctored bar exam due to the ongoing technical problems.
"The software testing company, ILG Technologies, was unsuccessful in correcting the problems which prevented some users from logging onto the test and created typing delays for other applicants," the court wrote.
Now, the Aug. 4 exam will be open book, without proctoring. The Indiana Board of Law Examiners will email the test questions to candidates, and they will email back their responses.
It remains to be seen whether these early online bar exam issues will prompt other jurisdictions to modify their plans. Part of the problem is that remote testing companies like ExamSoft and ILG Technologies are rushing to create products that can meet the new demand brought on by the pandemic, McMasters said.
"Of course with COVID, the demand for this has gone through the roof," he said. "There are a few companies scrambling to meet this need in an extremely compressed time frame. These state bar examiners either don't have the technical capability or the interest to do the due diligence required to make sure these projects are proceeding as they need to.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'What Is Certain Is Uncertainty': Patchwork Title IX Rules Face Expected Changes in Second Trump Administration
5 minute read
'No Evidence'?: Big Law Firms Defend Academic Publishers in EDNY Antitrust Case
3 minute read
Law Firms Are Turning to Online Training Platforms as Apprenticeship Model Falters
'Substantive Deficiencies': Judge Grants Big Law Motion Dismissing Ivy League Price-Fixing Claims
3 minute readTrending Stories
- 1Stock Trading App Robinhood Hit With Privacy Class Action 1 Month After Alleged Data Breach
- 2NY High Court Returns Fired Priest's Discrimination Claim to State Agency
- 3Digging Deep to Mitigate Risk in Lithium Mine Venture Wins GM Legal Department of the Year Award
- 4Reminder: Court Rules and Statutes Apply to Pendente Lite Custody Decisions
- 5Consumer Cleared to Proceed With Claims Against CVS 'Non-Drowsy' Medication, Judge Says
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
