A recently discovered vulnerability in jury-management software from Tyler Technologies exposed highly sensitive personal information for potential jurors across at least a dozen U.S. states after attackers exploited predictable numeric identifiers to access juror portals. The leaked data reportedly included full names, dates of birth, contact details, home addresses, occupational and demographic information, and in some cases sensitive health data from hardship or exemption questionnaires. The flaw affected court systems in states including Illinois, California, Texas, Michigan, Nevada, Ohio, Pennsylvania, and Virginia. Tyler Technologies acknowledged the problem on November 25, 2025, claimed to have patched the vulnerability, and said it is working with affected clients to remediate the issue.
Sources: TechCrunch, TechBuzz
Key Takeaway
– The bug exploited “sequential identifier plus no rate-limiting” logic, a classic access-control weakness, making it trivial for attackers to scrape juror records at scale.
– Exposed information included not only basic identifying details, but also sensitive juror-questionnaire data — e.g., health status or criminal history — which raises serious privacy and security concerns for jurors.
– Though Tyler patched the vulnerability, it remains unclear whether courts will notify affected jurors or whether logs show any actual unauthorized access, raising questions about accountability and systemic transparency.
In-Depth
Late November 2025 brought to light a disturbing and widespread privacy breach affecting court systems across the United States — one that has serious implications for personal security and public trust in the justice infrastructure. The root of the issue lay in jury-management software produced by Tyler Technologies, a widely used vendor for county and state courts. A security researcher discovered that various juror-portal websites built on Tyler’s platform used simple, sequential numeric IDs for juror log-ins — and lacked any rate limiting or protection against brute-force or enumeration attacks. In other words: an attacker could simply script a loop through these numeric identifiers and effectively “guess” valid ones en masse, then retrieve full juror profiles.
Upon gaining access, TechCrunch investigators viewed multiple portals — including one for a Texas county — and saw sensitive personal information in plain view: full names, dates of birth, occupation, email addresses, cell-phone numbers, home and mailing addresses, and other demographic details. Perhaps even more troubling, some profiles included health information and responses to juror-questionnaire items evaluating hardship or eligibility. That means not only basic identity data was exposed, but also sensitive personal background and health-related information.
The scope is nationwide. Affected systems spanned at least a dozen states, including major jurisdictions such as Illinois, California, Texas, Michigan, Ohio, Nevada, Pennsylvania, and Virginia. Given the recurring use of Tyler’s software by courts, the bug may have touched thousands — perhaps tens of thousands — of jurors over time.
Tyler Technologies announced that it validated the vulnerability on November 25, 2025, and claimed that a remediation had been developed and communicated to affected court clients. That said, key questions remain unanswered: Did courts review logs to determine whether any unauthorized access occurred? Will individual jurors be notified and offered remediation (e.g., credit-monitoring or identity-theft safeguards)? And perhaps more broadly: what systemic reforms will be instituted to prevent such a glaring oversight in public-sector cybersecurity?
This incident is hardly an isolated software glitch. Rather, it highlights a pattern: judicial technology systems, often underfunded and legacy-laced, tend to rely on vendor-supplied portals with minimal security hardening. In a similar previous incident, sealed court records — including sensitive legal filings and even mental-health assessments — were exposed via a separate vulnerability in widely used case-management software, prompting concerns about the robustness of protections for confidential court records.
The stakes are high. Jury duty — a civic cornerstone — depends on maintaining juror anonymity and privacy. Exposure of personal data puts jurors at risk of identity theft, harassment, doxxing, and undue influence. It may also deter civic participation: people may be less willing to serve if their personal data could end up public or in nefarious hands.
What should be done? At a minimum, courts should audit their use of vendor software and insist on security-by-design standards: randomized tokens, non-sequential identifiers, rate limiting, two-factor verification linked to postal mailings or physical summons, and robust logging and notification systems. Vendors like Tyler should be required to undergo regular third-party penetration testing and publish transparency reports — especially when flaws are discovered. Meanwhile, jurors should remain vigilant: if notified of the breach, they should consider placing fraud alerts on their credit files, monitor for unusual contact attempts, and treat any unsolicited communications referencing jury duty with suspicion.
In short: a seemingly innocuous design decision — sequential ID numbers without authentication hardening — has revealed a deep structural vulnerability in court-system cybersecurity. Fixing the code is only step one; restoring public trust will require meaningful transparency, accountability, and long-term reforms.