Tyler Technologies is scrambling to patch a critical vulnerability in its jury management systems after TechCrunch discovered the flaw exposed sensitive personal data of jurors across at least a dozen US states. The bug allowed anyone to brute-force access to names, addresses, phone numbers, and even health information through a simple numerical guessing attack.
A devastating security flaw in Tyler Technologies jury management platforms has left thousands of potential jurors' personal information exposed across the United States, TechCrunch has learned exclusively. The vulnerability affects at least a dozen court systems spanning California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.
The attack method was surprisingly simple. Jurors receive sequential numerical identifiers to access their portals, but Tyler's systems lacked basic rate-limiting protections. This meant anyone could systematically guess login credentials by trying consecutive numbers, eventually gaining access to complete juror profiles.
"A vulnerability exists where some juror information may have been accessible via a brute force attack," Tyler spokesperson Karen Shields confirmed to TechCrunch after the company was alerted on November 5th.
The exposed data goes far beyond basic contact information. TechCrunch viewed a Texas county portal containing full names, birth dates, occupations, email addresses, cell numbers, and both home and mailing addresses. But the real privacy nightmare lies in the jury questionnaires themselves.
These mandatory forms collect intensely personal details: ethnicity, education level, employer information, marital status, number of children, citizenship status, and criminal history. The system also captured medical exemption requests, potentially exposing sensitive health conditions that jurors believed would disqualify them from service.
The timing couldn't be worse for Tyler Technologies, which serves as the backbone for government operations across thousands of jurisdictions. The company's software manages everything from court records to tax collection, making it a prime target for cybercriminals seeking personal data.
This incident marks Tyler's second major security failure in just two years. In 2023, researchers discovered Tyler's Case Management System Plus exposed sealed court documents, witness testimony, mental health evaluations, and trade secrets across Georgia's court system. That breach also affected competitors Catalis and Henschen & Associates.
"We have developed a remediation to prevent unauthorized access and are communicating next steps with our clients," Shields said. But Tyler declined to answer whether it can determine if attackers actually accessed the data, or whether exposed jurors will be notified.
The vulnerability highlights a broader crisis in government technology security. Unlike private companies that face immediate market consequences for data breaches, government contractors often operate with less scrutiny despite handling equally sensitive information.
Security experts point to this case as a textbook example of poor security hygiene. Sequential user IDs combined with missing rate-limiting represents fundamental oversights that should never make it to production systems handling personal data.
For the thousands of Americans whose jury service may have exposed them to identity theft or harassment, Tyler's response raises more questions than answers. The company hasn't committed to notifying affected individuals or providing credit monitoring services typically offered after corporate breaches.
The researcher who discovered the flaw, speaking anonymously to protect their security work, expressed frustration with the government technology sector's apparent indifference to basic security practices. "These systems handle some of the most sensitive personal information imaginable, yet they're built with security as an afterthought."
Tyler's remediation efforts are now underway, but the damage may already be done. The sequential nature of the vulnerability means that anyone with basic technical knowledge could have systematically harvested juror data over an extended period without detection.
Tyler Technologies' latest security failure exposes the dangerous gap between government agencies' data collection practices and their cybersecurity capabilities. As courts increasingly digitize sensitive processes like jury selection, vendors like Tyler must be held to the same security standards we expect from financial institutions and healthcare providers. Until government technology contractors face real consequences for these preventable breaches, American citizens will continue paying the price with their personal privacy.
