Tyler Technologies Jury System Flaw Exposes Sensitive Personal Data in US States
Published
Key Takeaways
- Vulnerability discovered: A security flaw in jury management systems developed by Tyler Technologies has exposed data of jurors across several U.S. states.
- Data exposed: Jurors' full names, dates of birth, home addresses, phone numbers, occupations, and answers to sensitive qualification questionnaires were leaked.
- Brute-force attack: The system was vulnerable to a brute-force attack due to sequentially incremental juror IDs and a lack of rate-limiting on the login page.
A significant security flaw has been identified in jury management systems used by courts in multiple U.S. states, including California, Illinois, Texas, and Virginia. The vulnerability, present in software developed by government technology provider Tyler Technologies, was discovered and reported by a security researcher and enabled unauthorized access to highly sensitive juror data.
Details of the Jury Management System Flaw
The Tyler Technologies vulnerability stemmed from a basic security oversight. The public-facing portals assigned jurors a unique, sequentially incremental numerical identifier. An attacker could systematically guess these numbers in a brute-force attack to gain access to individual juror profiles.
The system's failure to implement rate limiting made this method highly effective, as this feature prevents excessive login attempts, according to the researcher, cited by TechCrunch. Once inside a juror's profile, an attacker could view a trove of personally identifiable information, including:
- Full names,
- Dates of birth,
- Occupation,
- Email addresses,
- Phone numbers,
- Home addresses,
- Gender,
- Ethnicity,
- Education level,
- Employer,
- Marital status,
- Citizenship,
- Age over 18,
- Convictions or indictments for theft or a felony,
- Personal health data in some cases.
Response and Remediation Efforts
After being alerted to the jury system data breach on November 5, Tyler Technologies confirmed the vulnerability on November 25 and stated its security team had developed a remediation to prevent further unauthorized access and is communicating the next steps to its clients.
Tyler acknowledged that the flaw could allow some juror information to be accessed via a brute-force attack, Tyler spokesperson Karen Shields said.
However, it did not specify whether it could determine if the vulnerability had been maliciously exploited or if it plans to directly notify the individuals whose sensitive juror data was exposed.
This incident marks another security lapse for the company, which has previously faced scrutiny for other data exposure issues in its court-related products and suffered a ransomware attack in 2020.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular