A critical security flaw in juror management systems used across multiple US states and in Canada has exposed sensitive personal data of potential jurors, including names, addresses, and detailed questionnaire responses. The vulnerability, identified by a security researcher and reported exclusively by TechCrunch, affects at least a dozen websites powered by government software maker Tyler Technologies.
The Nature of the Vulnerability
The core issue lies in a lack of basic security measures: the platforms use sequentially incremental juror identification numbers that can be easily brute-forced. Crucially, the systems lack rate-limiting, meaning attackers can flood login pages with guesses without restriction. This allows unauthorized access to full juror profiles, containing not just contact information but also deeply personal details collected through mandatory questionnaires.
What Data Was Exposed?
Exposed data includes:
- Full names, dates of birth, and contact details (email, phone number, home address).
- Detailed personal information: occupation, ethnicity, education level, marital status, parental status, citizenship, and criminal history.
- Potentially sensitive health data: Jurors requesting exemptions due to medical reasons may have disclosed disqualifying conditions.
This level of exposure is particularly concerning because juror data is often considered confidential to protect impartiality and prevent intimidation.
Tyler Technologies’ Response
After being alerted to the flaw on November 5th, Tyler Technologies acknowledged the vulnerability on November 25th, stating that “some juror information may have been accessible via a brute force attack.” The company claims to have developed a fix but has not yet confirmed whether malicious access occurred or if affected individuals will be notified.
History of Data Exposure
This is not an isolated incident. In 2023, Tyler Technologies was previously implicated in another major data leak, where U.S. court record systems exposed sealed confidential data, including witness lists, mental health evaluations, and trade secrets. Similar issues were also found in systems provided by Catalis and Henschen & Associates, highlighting a broader systemic problem in government technology security.
Why This Matters
The repeated exposure of sensitive government data raises serious questions about cybersecurity standards for vendors handling critical infrastructure. Juror data is uniquely vulnerable to misuse, potentially leading to harassment, intimidation, or even identity theft. The lack of transparency from Tyler Technologies regarding potential breaches further exacerbates the issue, leaving individuals exposed without knowing if their data was compromised.
The incident underscores the urgent need for stricter security audits and more robust data protection measures in government systems. Until then, the risk of similar exposures remains high, jeopardizing the integrity of the justice system and the privacy of ordinary citizens.
