A widespread security flaw in jury management systems developed by government software provider Tyler Technologies has exposed sensitive personal data of potential jurors across numerous U.S. states and Canada. The vulnerability, which was easily exploitable, allowed unauthorized access to personally identifiable information, including names, home addresses, email addresses, phone numbers, and even health data.

The flaw was discovered by an anonymous security researcher who alerted TechCrunch to the issue. The researcher identified at least a dozen vulnerable juror websites, all running on the same platform developed by Tyler Technologies. These affected systems are used by courts in states such as California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.

How the Vulnerability Worked

The core of the problem lay in how jurors were authenticated and the lack of robust security measures. Jurors are typically assigned a unique numerical identifier to log into these platforms. The vulnerability stemmed from two critical weaknesses:

  • Sequentially Incremental IDs: The numerical identifiers were sequentially incremental, making them predictable and susceptible to brute-force attacks. An attacker could simply guess numbers in sequence until a valid ID was found.
  • Lack of Rate-Limiting: The platforms lacked "rate-limiting," a crucial security feature that prevents an attacker from making a large number of login attempts in a short period. This absence allowed for unlimited guessing, making brute-forcing highly effective.

These combined factors meant that virtually anyone could systematically obtain sensitive information about selected jurors.

Scope of Exposed Data

TechCrunch, after being contacted by the security researcher, verified the vulnerability by accessing a jury management portal for a county in Texas. The exposed data was extensive and highly personal, including:

  • Full names, dates of birth, occupations
  • Email addresses, cell phone numbers, home and mailing addresses
  • Detailed responses from juror questionnaires, which often included sensitive demographic and personal history information such as:
    • Gender, ethnicity, education level, employer, marital status, number of children
    • Citizenship status, age (whether over 18)
    • Criminal history, specifically if the individual had been convicted or indicted for theft or a felony.

In some instances, the vulnerability could also expose personal health data. For example, if a juror requested an exemption from service due to health reasons, their medical justification might have been disclosed within their profile.

Tyler Technologies' Response and Past Incidents

TechCrunch notified Tyler Technologies of the issue on November 5, with the company acknowledging the vulnerability on November 25. Karen Shields, a spokesperson for Tyler, confirmed the existence of "a vulnerability where some juror information may have been accessible via a brute force attack." She added that the company had "developed a remediation to prevent unauthorized access and are communicating next steps with our clients." However, Tyler Technologies did not respond to follow-up questions regarding whether they could detect malicious access or if they planned to notify affected individuals.

This is not an isolated incident for Tyler Technologies. In 2023, a separate security flaw in their Case Management System Plus product, used in Georgia, exposed sealed and confidential court documents. These included highly sensitive details such as witness lists, testimony, mental health evaluations, allegations of abuse, and corporate trade secrets. That particular incident also involved vulnerabilities in systems from other government technology providers, Catalis and Henschen & Associates, highlighting broader security challenges within public sector software.