A glitch in jury systems used in several US states exposed sensitive personal data

Several public websites designed to allow courts across the US and Canada to manage potential jurors’ personal information have a simple security vulnerability that easily exposes their sensitive data, including names and home addresses, TechCrunch has learned exclusively.

A security researcher, who requested to remain anonymous for this story, contacted TechCrunch with details of the easy-to-exploit vulnerability, and identified at least a dozen jury sites created by government software maker Tyler Technologies that appear to be vulnerable, given that they run on the same platform.

Locations are spread across the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas and Virginia.

Tyler told TechCrunch that he is working on fixing the flaw after we alerted the company about the information exposure.

This error meant that it was possible for anyone to obtain information about the jurors selected to serve. To log in to these platforms, the juror is provided with a unique digital ID assigned to them, which can be any Brute forced Since the number was increasing sequentially. The platform also had no mechanism to prevent someone from flooding login pages with too many guesses, a feature known as “rate limiting.”

In early November, a security researcher told TechCrunch that they had identified at least one Texas county’s jury management portal as vulnerable. Within that portal, TechCrunch viewed full names, date of birth, occupation, email addresses, cell phone numbers, home addresses, and mailing addresses.

Other exposed data included information shared in questionnaires that potential jurors are asked to fill out to find out if they are qualified to serve on a jury.

In the portal viewed by TechCrunch, questions were asked about a person’s gender, race, education level, employer, marital status, children, whether the person is a citizen, whether they are over 18, and whether they have ever been convicted of or faced a theft or felony charge.

The vulnerability could expose personal health data within a juror’s profile in some cases. For example, if a juror requests to be excused from serving for health reasons, he or she may have disclosed the medical reason he believes makes him ineligible. TechCrunch saw an example of this as well.

TechCrunch alerted Tyler to the issue on November 5. Tyler acknowledged the vulnerability on November 25.

In a statement, Tyler spokeswoman Karen Shields said the company’s security team confirmed a vulnerability where some juror information may have been accessed through a brute force attack.

“We have developed a remedy to prevent unauthorized access and are communicating next steps with our customers,” the statement said.

The spokesperson did not respond to a series of follow-up questions, including whether Tyler had the technical means to determine whether there was any malicious access to jurors’ personal information, and whether it planned to notify people whose data was disclosed.

This is not the first time Tyler has left sensitive personal data exposed online. In 2023, a security researcher found that due to a separate vulnerability, Some online court records systems in the United States have exposed sealed, confidential, and sensitive datasuch as witness lists and testimony, mental health evaluations, detailed allegations of abuse, and corporate trade secrets.

In this case, Tyler fixed the vulnerabilities in its Case Management System Plus product, which was used throughout the state of Georgia.

Two other government technology providers were disclosing data in this case: Catalis, through its CMS360 product, a system used in several US states; and Henschen & Associates, through the CaseLook court filing system used in Ohio.