Executive summary – what changed and why it matters
Several jury-management websites built on Tyler Technologies’ platform allowed anyone to enumerate juror records because the systems used sequential numeric identifiers and lacked rate‑limiting. TechCrunch and a security researcher found at least a dozen affected portals across multiple U.S. states and Canada; exposed fields included full names, home and mailing addresses, dates of birth, emails, cell numbers, questionnaire responses and, in some cases, health‑related exemption details. Tyler has acknowledged the vulnerability and says it is rolling out a remediation, but key questions about detection, notification and damage assessment remain unanswered.
Key takeaways
- Scope: At least a dozen jury portals in states including CA, IL, MI, NV, OH, PA, TX and VA – plus instances in Canada – were running the vulnerable platform.
- Root cause: predictable sequential numeric IDs + absence of rate‑limiting allowed brute‑force enumeration.
- Data exposed: names, DOB, addresses, contact numbers, employer, questionnaire answers and possible medical exemption reasons.
- Timeline: researcher alerted Tyler on Nov 5; Tyler acknowledged Nov 25 and is deploying fixes.
- Unresolved: Tyler has not confirmed whether it can detect malicious access or whether affected people will be notified.
Breaking down the vulnerability
The sites provided jurors a numeric “identifier” to log in. Those IDs were sequential and predictable; an automated script can iterate through ranges and retrieve records. Compounding the problem, the platform lacked rate‑limiting, IP blocking, account lockouts or CAPTCHAs — basic controls that would have stopped or slowed automated enumeration. The exposed questionnaire fields included sensitive categories (citizenship, criminal history) and, in some cases, free‑text health explanations tied to exemption requests — effectively revealing medical details in plain text.
Why this matters now
This isn’t just an abstract privacy failure. Juror contact details and addresses enable targeted doxxing, harassment, jury intimidation, social engineering and stalking. Disclosure of health exemption reasons can reveal sensitive medical information that raises legal issues and harms vulnerable people. Courts rely on confidentiality for juror safety and impartiality; data exposure undermines public trust and can interfere with court operations.
Context and precedent
Tyler has been linked to exposures before: a 2023 flaw in its Case Management System Plus product exposed sealed and confidential court records. Government technology vendors remain frequent targets because they centralize sensitive records and often run legacy or lightly secured platforms. Competitors and best practices differ: secure vendors use non‑guessable tokens (UUIDs), ephemeral access links, per‑user authentication, robust rate‑limits, anomaly detection and strong logging to detect abuse.
Risk and compliance implications
Immediate risks include identity theft and physical safety threats to jurors; longer‑term risks include erosion of jury pool participation and legal exposure for courts and the vendor. Regulatory obligations to notify individuals vary by state and province; courts and Tyler should assume breach notification statutes may apply. Tyler’s refusal so far to say whether it can detect unauthorized access increases the odds that discovery and notification will be necessary once logs are audited.
Operator’s checklist — immediate recommended actions
- Patch now: deploy Tyler’s remediation immediately and verify it blocks enumeration tests from multiple vantage points.
- Audit logs: preserve and review access logs (IP, user agent, request rates) across the affected timeframes; engage a DFIR team to search for automated scraping indicators.
- Assess and notify: determine applicable breach‑notification laws and prepare notifications for exposed jurors; prioritize those with disclosed health details or protective needs.
- Harden access: replace sequential IDs with unguessable tokens, add rate‑limiting and CAPTCHA, enforce account lockouts, and consider short‑lived single‑use tokens delivered via secure channels.
- Temporary mitigations: where detection is incomplete, consider taking affected portals offline or limiting online self‑service until controls are verified.
- Vendor governance: courts should require immediate evidence of testing, a remediation timeline, SOC2 or equivalent attestation, and contract language for incident response and notifications.
Bottom line
The technical flaw was simple and preventable, but the consequences are real for juror privacy and court integrity. For operators and procurement leaders, this is a wake‑up call: demand demonstrable security controls from government‑technology vendors, validate those controls with independent testing, and treat exposed juror data as a high‑priority incident requiring immediate remediation, audit and — where required — public notification.
Leave a Reply