Cybersecurity

Michigan online bar exam temporarily taken down by ‘sophisticated’ cyberattack

The online Michigan bar exam was targeted by a “sophisticated” cyberattack that temporarily took down the test, the vendor offering the online exam said Tuesday.

ExamSoft, one of the three vendors offering the exam that certifies potential attorneys, said the test had been hit by a distributed denial of service (DDoS) attack, which involves a hacker or group attempting to take down a server by overwhelming it with traffic. 

“This was a sophisticated attack specifically aimed at the login process for the ExamSoft portal which corresponded with an exam session for the Michigan Bar,” ExamSoft said in a statement on Tuesday

The company noted that “at no time” was any data compromised, and that it was able to “thwart the attack, albeit with a minor delay” for test takers.

The incident marked the first DDoS attack the company had experienced at a network level, ExamSoft wrote, and it worked with the Michigan Board of Law Examiners to give test takers more time to take the exam after it was up and running again. 

“All exam takers were successfully able to start and complete all modules of the Michigan Bar exam,” the company wrote.

The Michigan Supreme Court tweeted prior to the company’s statement that a “technical glitch” had caused the exam to go down, and that test takers were “emailed passwords and the test day will be extended to allow for the delay for some test takers to access the second module.”

According to the court, those taking the exam with provisions from the Americans with Disabilities Act were not impacted by the incident. 

The cyberattack comes after law school graduates and others taking the bar exam nationwide have increasingly advocated for states to waive the requirement for potential attorneys to pass the bar exam to practice law. They have cited health concerns with taking it in-person during the pandemic, and privacy and security issues involved with taking it online. 

United for Diploma Privilege, a national group of law students, graduates, professors and lawyers pushing for the bar exam to be waived during the COVID-19 pandemic, raised concerns about data privacy issues involved in the cyberattack. 

“If this was such a sophisticated attack, what do they have to say about the biodata collected during exam administration?” the group tweeted

Many states have opted to offer the bar exam in-person this month, while others will offer the exam online in early October. 

A spokesperson for the National Conference of Bar Examiners (NCBE), which drafts a portion of the exam, told The Hill earlier this month that states and jurisdictions could choose to offer the exam through vendors ExamSoft, Extegrity and ILG Technologies.

“Each technology vendor has systems in place to help maintain the security of the remote exam and ensure a smooth testing experience for candidates,” the NCBE spokesperson said. “Jurisdictions that decide to administer the emergency remote exam will work with their selected vendor to address any security and technical issues that arise.”