The following is a notice from the American Bar Association about a recent data security incident experienced on the ABA’s network. While the Massachusetts Bar Association is not impacted, we are sharing this notice for any current or former ABA members who may be affected.
The American Bar Association (“ABA”) is providing notice of an incident that may affect the privacy of personal information. The data that impacted the username and salted and hashed password you may have used to access your American Bar Association (“ABA”) online account prior to 2018 on the old ABA website, or the ABA Career Center since 2018. The ABA takes the security of the information very seriously and sincerely apologizes for any concern this incident may cause. While the ABA has no indication that the personal information has been misused, this notification contains information about what happened, actions we have taken to prevent a reoccurrence, and steps to protect personal information. The ABA recently sent affected individuals an email about this incident to the last known email the ABA had on file.
What happened?
On March 17, 2023, the ABA observed unusual activity on its network. The incident response plan was immediately activated, and cybersecurity experts were retained to assist with the investigation. The investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired certain information. On March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.
What information was involved?
The personal information involved the username and hashed and salted password certain users may have used to log into the old ABA website before 2018 or the ABA Career Center since 2018. To be clear, the passwords were not exposed in plain text. They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext. In addition, in many instances, the password may have been the default password assigned to the user by the ABA, if the user never changed that password on the old ABA site. The ABA is notifying all affected individuals in an abundance of caution.
Although the ABA changed its website log-in platform in 2018 and asked each user to create new credentials, if people with ABA accounts utilized the same credentials to access the new ABA website,
www.americanbar.org, we suggest they update their passwords at their earliest convenience.
What we are doing.
The ABA takes the security of users’ information seriously and has taken measures to reduce the likelihood of a future cyber-attack, including removing the unauthorized third party from the ABA network and reviewing network security configurations to address continually evolving cyber threats.
What you can do.
Although the ABA has received no reports of misuse of anyone's information, we encourage concerned individuals to change any passwords which may be same as or similar to the password at issue in this incident and remain vigilant against any unauthorized attempts to access online accounts. For those who would like to continue to use the ABA’s Career Center, they should consider changing their password in an abundance of caution.
The law of certain states may require us to provide additional information about identity theft, which is provided
here.
If you have any questions, please call 1-888-411-8698, Monday through Friday from 9:00 am - 9:00 pm Eastern Time. The ABA appreciates your patience and understanding, and sincerely apologizes for any inconvenience or concern this incident may cause you.