Bug in jury systems used by several US states exposes sensitive personal data | TechCrunch

Several public websites designed to allow courts in the United States and Canada to manage the personal information of potential jurors had a simple security flaw that could easily expose their sensitive data, including names and home addresses, TechCrunch has exclusively learned.

A security researcher, who asked not to be identified for this story, contacted TechCrunch with details about the easily exploitable vulnerability and identified at least a dozen jury websites created by government software maker Tyler Technologies that appear to be vulnerable since they run on the same platform.

The locations are spread across the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas and Virginia.

Tyler told TechCrunch that it is fixing the flaw after we notified the company of the information exposure.

The bug allowed anyone to obtain information about jurors selected for duty. To log into these platforms, a judge is assigned a unique numerical identifier, which can be brute force as the number increases sequentially. The platform also didn’t have a mechanism to prevent someone from flooding the login pages with a large number of guesses, a feature known as “rate-limiting.”

In early November, the security researcher told TechCrunch that they had identified at least one jury management portal for a Texas county as vulnerable. Within that portal, TechCrunch saw full names, dates of birth, occupation, email addresses, cell phone numbers, and home and mailing addresses.

Other exposed data includes information shared in the questionnaires that potential jurors must complete to see if they are qualified to serve on a jury.

The portal TechCrunch looks at asks questions about gender, ethnicity, education level, employer, marital status, children, whether the person was a citizen, whether he/she was over 18 years old, and whether he/she has been convicted or charged with theft or crime.

The vulnerability could have exposed personal health information in a juror’s profile in some cases. For example, if a juror requested to be excused from duty for health reasons, he or she may have disclosed what medical reason he or she believes disqualifies him. TechCrunch also saw an example of this.

TechCrunch notified Tyler of the issue on November 5. Tyler acknowledged the vulnerability on November 25.

In a statement, Tyler spokesperson Karen Shields said the company’s security team confirmed that “a vulnerability exists where certain juror information could have been accessed through a brute force attack.”

“We have developed a solution to prevent unauthorized access and are communicating next steps with our customers,” the statement said.

The spokesperson did not respond to a series of follow-up questions, including whether Tyler has the technical means to determine whether there has been malicious access to jurors’ personal information, and whether he plans to notify people whose data has been released.

This isn’t the first time Tyler has left sensitive personal information online. In 2023, a security researcher discovered that, due to a separate security flaw, some U.S. online legal reporting systems exposed sealed, confidential and sensitive data such as witness lists and testimonies, mental health evaluations, detailed allegations of abuse and trade secrets.

In that case, Tyler fixed vulnerabilities in his Case Management System Plus product, which was used throughout the state of Georgia.

Two other government technology providers disclosed data in that case: Catalis, through its CMS360 product, a system used in several US states; and Henschen & Associates, through the CaseLook court system used in Ohio.