The Administrative Office of the U.S. Courts recently revealed that several juror-management websites contained an exploitable security flaw, exposing sensitive personal data. The issue affected at least a dozen sites built by government software vendor Tyler Technologies.
At least a dozen public jury-management websites operated by courts in California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia were found to contain a serious security vulnerability. The sites used sequential juror ID numbers that could be brute-forced without any rate-limiting. This allowed anyone to repeatedly submit login attempts until they successfully accessed juror profiles.
The Texas county’s portal, for example, confirmed access to full names, dates of birth, email addresses, phone numbers, home and mailing addresses, occupations, and detailed questionnaire responses. Some profiles also contained health information disclosed by jurors seeking exemptions from service.
Tyler Technologies began investigating after being notified on November 5. They acknowledged the vulnerability on November 25, saying a fix is now in progress.
Over the past several years, Tyler Technologies, which provides widely used court- and justice-management software, like Odyssey Portal, has repeatedly been at the center of high-profile data exposures.
2020-2022: In early 2022, a vulnerability in Odyssey’s public-records implementation allowed a third-party aggregator to retrieve and publish hundreds of thousands of confidential case files. One of the incidents involved the State Bar of California, where more than 322,000 nonpublic records and tens of thousands of public filings were leaked.
The issue stemmed from the portal inadvertently pulling sealed or restricted records while fulfilling public-record queries. Tyler issued patches, and by April 2022, it reported that all potentially affected client portals had been remediated.
2023: Another Tyler-related incident emerged when vulnerabilities in its Case Management System Plus (CMS+) led to sealed and highly sensitive court documents becoming accessible online.
Exposed materials included mental-health evaluations, witness lists, abuse-related documents, and confidential filings in criminal and family-court cases. Multiple states were affected, prompting some jurisdictions (e.g., Kansas, California, and Maine’s Judicial Branches) to pull most online court records offline entirely while conducting audits and implementing security updates.
2023-2024:
Following the 2023 researcher disclosures, several CVEs and advisories (e.g., CVE-2023-6342 and related IDs) were cataloged; vendors published mitigations and removed or patched vulnerable features (for example, a “pay for print” feature cited in advisories).
Apr 2024: Tyler notified the District of Columbia Department of Insurance, Securities, and Banking about unauthorized access to a cloud environment storing client STAR system data. Their investigation found that a threat actor encrypted the system and acquired data, claiming they would make information from this system public.
Following the recent vulnerability, the Administrative Office of the U.S. Courts stated, “The federal Judiciary is taking additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system.”
“The Judiciary is also further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants.”
The Office further states it “has continued to collaborate with Congress as well as the Department of Justice, the Department of Homeland Security, and other partners in the executive branch to mitigate the risks and impacts of these cyberattacks.”
Jury-management portals are online systems courts use to register potential jurors, collect eligibility questionnaires, verify identity, and communicate reminders. These systems often store extensive personal information, including demographic data, employment, legal history, and occasionally medical justifications for exemptions.
Since these portals contain sensitive personal, demographic, and health-related data, any authentication flaw can inadvertently expose highly confidential information.
The exposure could lead to identity theft, harassment, or misuse of health-related disclosures. The ubiquity of Tyler’s software across many jurisdictions could lead to new or residual flaws causing large-scale exposure of personal and sensitive data.
A vulnerability is a flaw or weakness in software, infrastructure, or configuration that can be exploited to access data or functions that should be protected. Examples include misconfigured databases, brute-force-friendly login pages, or overly broad API access.
Related: How email integrations can lead to vulnerability
Brute-force access is when an attacker repeatedly guesses identifiers or login credentials until one works. In the jury-site case, sequential juror IDs could be tried rapidly until valid profiles were returned.
Token rotation is the practice of automatically replacing authentication tokens on a regular schedule. If leaked tokens aren’t rotated, attackers can continue using them indefinitely.
Go deeper: Is token-based authentication HIPAA compliant?