Jury System Data Breach: Personal Data Exposed in US States

Juror Data Exposed Due to Security Flaw in Court Websites

A significant security vulnerability was discovered on several public websites utilized by courts in the United States and Canada. This flaw potentially exposed the sensitive personal information of prospective jurors, including their names and residential addresses, as TechCrunch exclusively reported.

Vulnerability Details and Affected Locations

A security researcher, wishing to remain anonymous, brought the easily exploitable vulnerability to the attention of TechCrunch. The researcher identified at least a dozen juror websites developed by Tyler Technologies as being susceptible, as they all operate on the same underlying platform.

The affected websites are geographically dispersed across the country, with confirmed instances in California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.

Tyler Technologies Response

Upon being informed of the issue by TechCrunch, Tyler Technologies has initiated a fix to address the identified flaw and prevent further data exposure.

How the Vulnerability Was Exploited

The vulnerability allowed unauthorized access to juror information by exploiting a weakness in the login process. Jurors are assigned a unique numerical identifier for platform access. This identifier was sequentially incremental, making it vulnerable to a brute-force attack.

Critically, the platform lacked rate-limiting, a security measure that prevents excessive login attempts. This absence enabled attackers to flood the login pages with numerous guesses without restriction.

Data Exposed in the Breach

The security researcher initially identified a vulnerable jury management portal in a Texas county in early November. Access to this portal revealed a wealth of personal data, including:

Full names
Dates of birth
Occupations
Email addresses
Cell phone numbers
Home and mailing addresses

Furthermore, responses to questionnaires completed by potential jurors – used to determine eligibility – were also exposed.

Sensitive Questionnaire Information

The exposed questionnaire data encompassed a range of personal details, such as:

Gender
Ethnicity
Education level
Employer
Marital status
Number of children
Citizenship status
Age (over 18 verification)
Criminal history (theft or felony convictions/indictments)

In some instances, the vulnerability could have exposed personal health information submitted by jurors requesting exemptions from service due to medical reasons.

Timeline of Events

TechCrunch initially alerted Tyler Technologies to the issue on November 5th. The company acknowledged the vulnerability on November 25th.

According to a statement from Tyler spokesperson Karen Shields, the company’s security team confirmed the existence of a vulnerability allowing potential access to juror information through brute-force attacks.

“We have developed a remediation to prevent unauthorized access and are communicating next steps with our clients,” the statement affirmed.

Lack of Transparency from Tyler Technologies

Despite follow-up inquiries, the spokesperson did not respond to questions regarding Tyler’s ability to detect malicious access to juror data or its plans to notify affected individuals.

Previous Data Exposure Incidents

This is not an isolated incident for Tyler Technologies. In 2023, a separate security flaw in their systems led to the exposure of sealed court records, including sensitive data like witness lists, testimony, mental health evaluations, and confidential allegations.

The 2023 incident involved vulnerabilities in Tyler’s Case Management System Plus, used throughout the state of Georgia.

Other Affected Vendors

Two other government technology providers were also implicated in the 2023 data exposure: Catalis (through its CMS360 product) and Henschen & Associates (through its CaseLook court record system).