Bug in jury systems used by several US states exposed sensitive personal data

A significant security vulnerability has been uncovered in various public websites utilized by courts throughout the United States and Canada for managing potential jurors' personal information. This flaw, which could easily compromise sensitive data such as names and home addresses, was brought to light by an anonymous security researcher who contacted TechCrunch with details about the exploit. The researcher identified at least a dozen jury management websites developed by Tyler Technologies that are susceptible to this issue, as they operate on the same platform. The affected sites span numerous states including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia. Following TechCrunch's alert about the data exposures, Tyler Technologies confirmed they are working to rectify the vulnerability. The nature of the flaw allowed unauthorized individuals to access critical juror information. Each juror is assigned a unique numerical identifier for logging into the platforms, but this identifier was sequentially incremental, making it easy to brute-force. Furthermore, the absence of a rate-limiting feature enabled attackers to overwhelm the login pages with numerous guessing attempts. In early November, the researcher pointed out a specific jury management portal in Texas that was vulnerable. A review of this portal revealed alarming exposures, including full names, birth dates, occupations, email addresses, phone numbers, and both home and mailing addresses. Other personal data that could be accessed included details from questionnaires that potential jurors must complete to determine their eligibility for service. These questionnaires contained sensitive inquiries regarding gender, ethnicity, education, employment, marital status, citizenship, and criminal history. In some instances, the vulnerability could have even revealed personal health information if a juror had requested an exemption from service for medical reasons. The researcher presented evidence of such exposures as well. After TechCrunch notified Tyler Technologies on November 5, the company acknowledged the vulnerability by November 25. A spokesperson for Tyler stated that their security team had confirmed the existence of a vulnerability that allowed certain juror information to be accessed through brute force attacks. They also mentioned that a remediation plan had been developed to prevent unauthorized access and that they were in communication with their clients regarding next steps. However, the spokesperson did not address follow-up inquiries regarding whether Tyler has the capability to assess if any malicious access to jurors' personal information had occurred or if there are plans to inform those whose data was compromised. This incident is not an isolated case; in 2023, a different security flaw led to several U.S. online court record systems exposing sealed and sensitive data, including witness lists and mental health evaluations, prompting Tyler to rectify issues in its Case Management System Plus used in Georgia. Other technology providers were also implicated in that breach, highlighting ongoing concerns about data security in government systems.