Bug in jury systems used by several US states exposed sensitive personal data

Several public websites designed to allow courts across the United States and Canada to manage the personal information of potential jurors had a simple security flaw that easily exposed their sensitive data, including names and home addresses, TechCrunch has exclusively learned.

A security researcher, who asked not to be named for this story, contacted TechCrunch with details of the easy-to-exploit vulnerability, and identified at least a dozen juror websites made by government software maker Tyler Technologies that appear to be vulnerable, given that they run on the same platform. 

The sites are all over the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.

Tyler told TechCrunch that it is fixing the flaw after we alerted the company to the information exposures.

The bug meant it was possible for anyone to obtain the information about jurors who are selected for service. To log into these platforms, a juror is provided a unique numerical identifier assigned to them, which could be brute-forced since the number was sequentially incremental. The platform also did not have any mechanism to prevent anyone from flooding the login pages with a large number of guesses, a feature known as “rate-limiting.”

In early November, the security researcher told TechCrunch that they identified at least one jury management portal for a county in Texas as vulnerable. Inside that portal, TechCrunch saw full names, date of birth, occupation, email addresses, cell phone numbers, and home and mailing addresses.

Other exposed data included information shared in the questionnaires that potential jurors are required to fill out to see if they are qualified to serve on a jury.

In the portal seen by TechCrunch, the questions asked about the person’s gender, ethnicity, education level, employer, marital status, children, if the person was a citizen, whether they were older than 18, and whether they have been convicted or faced indictment for a theft or felony. 

The vulnerability could have exposed personal health data inside a juror’s profile in some cases. For example, if a juror had requested to be exempted from service for health reasons, they may have disclosed what medical reason they think disqualifies them. TechCrunch saw an example of that, too.

TechCrunch alerted Tyler of the issue on November 5. Tyler acknowledged the vulnerability on November 25.

In a statement, Tyler spokesperson Karen Shields said that the company’s security team confirmed “a vulnerability exists where some juror information may have been accessible via a brute force attack.”

“We have developed a remediation to prevent unauthorized access and are communicating next steps with our clients,” the statement said.

The spokesperson did not respond to a series of follow-up questions, including whether Tyler has the technical means to determine if there was any malicious access to jurors’ personal information, and whether it plans to notify people whose data was exposed. 

This is not the first time Tyler left sensitive personal data exposed on the internet. In 2023, a security researcher found that, due to a separate security flaw, some U.S. online court record systems exposed sealed, confidential, and sensitive data, such as witness lists and testimony, mental health evaluations, detailed allegations of abuse, and corporate trade secrets. 

In that case, Tyler fixed vulnerabilities in its Case Management System Plus product, which was used across the state of Georgia. 

Two other government technology providers were exposing data in that case: Catalis, through its CMS360 product, a system used across several U.S. states; and Henschen & Associates, through its CaseLook court record system, used in Ohio.