Researcher finds flaw in portals used to manage juror information
Several public jury-management websites across the United States and Canada were found to have a simple but serious security flaw that exposed sensitive personal information belonging to potential jurors, TechCrunch learned after being contacted by a security researcher. The affected sites were built by government software provider Tyler Technologies and appear vulnerable because they run on the same platform. Impacted jurisdictions span California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.
Tyler Technologies said it began fixing the flaw after being alerted to the issue.
Sequential IDs made brute-forcing juror data possible
The researcher discovered that the login process used a unique numerical identifier assigned to each juror, but the numbers were sequential and could be easily guessed. The portals also lacked rate-limiting, allowing an unlimited number of login attempts. As a result, anyone could obtain information belonging to selected jurors.
In early November, the researcher identified at least one Texas county’s jury portal as vulnerable. Data visible inside the portal included full names, dates of birth, occupation, email addresses, cell phone numbers, and home and mailing addresses. Additional information came from mandatory questionnaires that asked about gender, ethnicity, education level, employer, marital status, children, citizenship status, age, and any past theft or felony convictions or indictments.
Health details could also be exposed in cases where jurors requested exemptions for medical reasons. TechCrunch viewed one such example.
Company confirms vulnerability and begins remediation
TechCrunch notified Tyler Technologies on November 5. The company acknowledged the vulnerability on November 25. Tyler spokesperson Karen Shields said the security team confirmed that “a vulnerability exists where some juror information may have been accessible via a brute force attack.” Shields said the company developed a remediation and is communicating next steps to clients.
The company did not answer follow-up questions about whether it can determine if the exposed data was accessed maliciously or whether it plans to notify affected individuals.
Previous exposure incidents involving court data
This is not the first time Tyler Technologies has faced issues involving exposed sensitive information. In 2023, a separate flaw allowed some U.S. online court records to leak sealed or confidential data, including witness lists, mental health evaluations, abuse allegations, and corporate trade secrets. In that case, Tyler fixed vulnerabilities in its Case Management System Plus, used across Georgia.
Two other government technology companies were also implicated in that prior incident: Catalis, whose CMS360 system was used in several states, and Henschen & Associates, whose CaseLook system was used in Ohio.
Featured image credits: Freepik
For more stories like it, click the +Follow button at the top of this page to follow us.