Jury Duty Can Expose Personal Data

A security flaw in several websites, which allow courts to manage personal information of potential jurors in the United States and Canada, contain a security flaw. The flaw exposed sensitive data, often beyond just names and addresses.

An anonymous security researcher identified at least a dozen juror websites created by government software maker, Tyler Technologies, which were easily vulnerable. Tyler told TechCrunch that it is fixing the flaw after being alerted of it.

Actual jurors were provided a unique, sequentially incremental number. The article doesn’t mention whether the number acted as a password or username, but it virtually implied the number was the only requirement to login. [If a reader knows, perhaps they could inform me.] The platform also did not have any programming mechanism to prevent flooding the login pages with endless guesses. In other words, no “3 tries left” scenario.

At least one jury management portal in Texas exposed full names, dates of birth, occupation, email addresses, cell phone numbers, and home and mailing addresses. In some cases, exposed data contained information included in questionnaires that potential jurors are required to fill out for jury qualification purposes.

Potential data exposure could involve the person’s gender, ethnicity, education level, employer, marital status, children, if the person was a citizen, whether they were older than 18, and whether they have been convicted or faced indictment for a theft or felony. Even personal health data was vulnerable in some cases. For example, if a juror had requested to be exempted from service for verified health reasons.

TechCrunch alerted Tyler of the issue on November 5, however, Tyler didn’t acknowledged the vulnerability until 20 days later. I’ll assume to keep additional nefarious culprits from knowing.

In a statement, Tyler spokesperson, Karen Shields, said that the company’s security team confirmed “A vulnerability exists where some juror information may have been accessible via a brute force attack. We have developed a remediation to prevent unauthorized access and are communicating next steps with our clients.” Follow-up questions, such as whether Tyler has the technical means to determine if there was any malicious access, or whether it plans to notify people whose data was exposed, went unanswered. My question would be, “Do victims get free credit monitoring paid for by Tyler?” They should.

It’s also not the first time Tyler left sensitive personal data exposed on the internet. Just two years ago, a separate security flaw revealed sealed, confidential, and sensitive data, such as witness lists, testimony, mental health evaluations, detailed allegations of abuse, and corporate trade secrets.

Here’s a ‘data-safe’ remediation. Get all this stuff off the cloud/internet. Last time I was in the jury duty pool, none of it was online. I simply had to call in each morning and ask if I needed to show up that day. If not, it was off to do my normal, everyday job. The only way to hack info was to go through a security check in the courtroom and con a court employee into giving out such information. Our data was much safer in the analog-world.

Source used: TechCrunch