A software vulnerability in jury management software used by courts across the U.S. allowed people to access a wide range of sensitive information on jurors, prospective jurors, and others involved in court cases, according to security researchers.
The sites in question serve jurisdictions including California, Illinois, Michigan, Nevada, Ohio, and Pennsylvania, as well as Texas and Virginia, and they are affiliated with platforms from Tyler Technologies — a major vendor to courts around the country.
How the jury portal flaw exposed sensitive juror data
Jurors typically receive a summons and a unique numeric identifier that allows them to access court portals. In this scenario, since the ID was consecutive, it was easily guessable and there was no rate limiting on the portal to restrict multiple login attempts. Together, those flaws provided a direct route allowing attackers to loop through valid juror IDs and access records without traditional passwords.
Security professionals frequently refer to this sort of issue as an insecure direct object reference (IDOR) or access control failure: predictable identifiers combined with insufficient request limiting. NIST and OWASP guidance has historically advocated the use of randomized tokens, throttling, and anomaly detection to protect against brute-force and enumeration attacks. When you don’t have those controls, even rudimentary scripts can automatically guess credentials over thousands of IDs.
Aside from names and contact information, the information that was exposed included answers to juror qualification questionnaires. These forms can involve extremely sensitive personal information in a hardship or eligibility determination, such as employment history, caregiving responsibilities, medical conditions that may limit an individual’s ability to take on other work, and previous involvement with the justice system. The specific data fields depend on the jurisdiction, but the privacy stakes are generally high.
Scope of the exposure and the data most at risk
While officials have yet to detail publicly how many courts or jurors are affected overall, the named states include some of the busiest dockets in the country. Jury rooms are constantly in use as new panels are empaneled, and that shows the exposure windows in a big way if there is a vulnerability. Even in high-stakes trials (if television is to be believed, anyway), prosaic personal facts can quickly become fodder for harassment or attempts at influence — which is why many courts are increasingly reluctant to expose the identities of jurors.
Tyler Technologies acknowledged the vulnerability and said that its security staff had confirmed that some juror information may have been vulnerable to a brute-force attack. The company said that it has corrected the issue and is discussing next steps with court clients. It has not been stated publicly whether logs indicate malicious access or whether individual jurors would be notified, decisions that would depend in part on normal legal procedures and forensic certainty.
Vendor response and history of similar court tech flaws
It is unfortunate that sensitive data on court cases appeared online by virtue of vendor-side security loopholes again. Another researcher, in a previous episode, found that flaws allowed sealed and confidential records to be pulled from online court systems. At the time, Tyler was grappling with findings in its Case Management System Plus software, used by Georgia, while similar exposures were found in products other states have purchased from companies Catalis and Henschen & Associates. The recurring theme illustrates how fragmented procurement and legacy integrations can create an uneven defense across the judicial technology ecosystem.
Courthouses depend on vendors for everything from e-filing to docket search to jury management. That reliance also means the security posture can be no better than the weakest supplier control. For software that processes court data, being able to run independent penetration testing, engage in coordinated vulnerability disclosure programs, and adhere to transparent remediation timelines are increasingly perceived as table stakes.
Why these security failures persist across court portals
Government web portals may inherit limitations from outdated architectures, lean budgets, or layers of legacy integrations with county and state systems. Consumer-grade apps are often miles away from where security lives. Security features we find in consumer applications — effective rate limiting, randomized identifiers, bot defenses, and ongoing monitoring — are often bolted on after deployment rather than baked in from the start. CISA’s Secure by Design guidance advises vendors to prioritize safety features like blocking and safe default settings as the out-of-the-box rule, not optional add-ons.
Jury workflows, too, are hindered by strong authentication. Some courts shun more onerous login demands so access is fairer and less intimidating. That usability demand makes it all the more crucial to implement hidden-in-plain-sight protections, including server-side throttles, abuse detection, and session-bound tokens that can’t be guessed or replayed.
What courts and jurors should do now to reduce exposure
Courts and service providers should prioritize the following mitigations:
- Use non-sequential identifiers and randomized tokens for portal access.
- Implement rate limiting, IP reputation checks, and anomaly detection to stop enumeration attempts.
- Engage third-party testing, log events for audit trails, and follow clear notification processes to maintain public trust.
- Where possible, add a second factor linked to summons mailings — such as a one-time code or ZIP code match — without burdening jurors.
Jurors can reduce their exposure by taking these precautions:
- Avoid clicking portal links sent in emails or texts; instead, go directly to the court’s official site or call the clerk’s office.
- Be wary of unsolicited communications about jury duty, especially those requesting additional personal information or payments.
- If informed of possible exposure, consider placing alerts on financial accounts and watch for suspicious contact mentioning jury information.
At the end of the day, the episode serves as a reminder that very ordinary civic portals can house extremely sensitive information. If those systems break down, the implications are not just about privacy but also about the soundness of justice. Closing base-level holes — beginning with random IDs and modern rate limiting, for example — would make this sort of breach far less devastatingly simple in the first place.
