US Jury System Bug Exposed Sensitive Personal Data
▼ Summary
– Public juror websites across the U.S. and Canada had a security flaw exposing sensitive personal data like names and addresses.
– The vulnerability was found in at least a dozen sites by Tyler Technologies and allowed brute-force attacks due to sequential numerical logins.
– Exposed data included full names, birthdates, contact details, and juror questionnaire responses about demographics and legal history.
– Tyler Technologies acknowledged the flaw and is developing a fix after being alerted by TechCrunch in early November.
– This is not Tyler’s first security incident; in 2023, a separate flaw exposed sealed court records and sensitive legal documents.
A significant security flaw in jury management websites used by courts across the United States and Canada has led to the exposure of sensitive personal information belonging to potential jurors. The vulnerability, discovered in platforms developed by government software provider Tyler Technologies, allowed unauthorized access to a wide range of confidential data through a simple brute-force attack method. Websites in states including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia were reportedly affected.
An anonymous security researcher brought the issue to light, explaining that the juror portals lacked basic security measures. Each juror receives a unique numerical identifier to log in, but these identifiers were assigned in sequential order. Because the platforms did not implement rate-limiting, a feature that blocks repeated login attempts, anyone could systematically guess these numbers and gain entry without triggering security alerts.
Upon accessing one county’s portal in Texas, investigators found extensive personal details of individuals selected for jury duty. Exposed information included full names, dates of birth, occupations, email addresses, cell phone numbers, and both home and mailing addresses. Additionally, answers from juror qualification questionnaires were visible, covering topics such as gender, ethnicity, education level, employer details, marital status, number of children, citizenship status, age verification, and any history of theft or felony indictments or convictions.
In certain instances, the security gap also revealed private health information. When jurors requested exemptions from service for medical reasons, the specific health conditions they disclosed became accessible. One such example was documented where an individual’s medical justification for exemption was openly viewable within the system.
TechCrunch notified Tyler Technologies about the vulnerability on November 5, and the company confirmed the issue on November 25. Karen Shields, a spokesperson for Tyler, stated that their security team had verified the flaw and acknowledged that juror information could have been obtained via brute-force attacks. She confirmed that a remediation plan was developed to block unauthorized access and that the company was communicating next steps with its clients. However, Tyler did not respond to inquiries about whether it could determine if any malicious access had occurred or if affected individuals would be notified.
This incident is not the first time Tyler Technologies has been involved in a data exposure event. In 2023, a separate security weakness in the company’s Case Management System Plus product, used statewide in Georgia, resulted in public access to sealed and confidential court records. Those records included witness lists, testimony transcripts, mental health evaluations, detailed abuse allegations, and corporate trade secrets. Other government technology providers, Catalis and Henschen & Associates, were also implicated in that earlier breach for similar exposures through their respective court record systems.
(Source: TechCrunch)