2023
Maine Judicial Branch
Maine Courts Shut Off Online Records Access Over Security Concern
The Maine Judicial Branch (MJB) disabled online access to nearly all court documents on Sept. 15, 2023, after learning about security vulnerabilities with Odyssey system. According to the MJB, Tyler had announced that there were certain vulnerabilities with the 2018 version of Odyssey. UNKNOWN: The date the MJB first learned of those vulnerabilities has not been disclosed and is therefore unknown at the present time.BDN reported the shutdown on 12/14/2023
General
The vulnerabilities allowed public access to restricted, sealed, and confidential court filings using only a web browser.
Security flaws in court record systems used in five US states exposed sensitive legal documents | TechCrunch– 11/30/2023
CISA has assisted a researcher with coordinating the disclosure of multiple researcher-discovered vulnerabilities affecting web-based case and document management systems used by multiple state, county, and municipal courts. Affected systems include products from Tyler Technologies and Catalis and custom software used by specific counties in Florida.
Multiple Vulnerabilities Affecting Web-Based Court Case and Document Management Systems | CISA – 11/30/2023
Kansas Judicial Branch
On November 4, 2023, the Kansas Judicial Branch (KJB) announced that its information systems have been offline since October 12, 2023 due to a security incident. It stated that the shutdown affected daily operations of the state’s appellate courts and district courts in 104 counties.
The incident was described as a “foreign cyberattack” in which the hackers “stole data and threatened to post it to a dark web site if their demands were not met.” It was a ransomware attack.
Since discovery of the incident, the KJB has been regularly posting news and updates on its website regarding incident, including information regarding its nature and scope, guidance for attorneys and self-represented litigants, timeline for fixing, and status of its recovery efforts, all of which information is available here:
Court Systems Security Incident – KS Courts
Other news articles regarding the incident are available here:
Kansas electronic court system into 2nd week of being offline (kwch.com) – 10/24/2023
Kansas courts are in their second week of operating by paper. The statewide electronic system used for many of the courts’ functions remains offline following a security breach earlier this month. Yet to be revealed is how the breach happened. The Kansas judicial branch said it’s examining what happened and working to bring the system back up. There’s no timetable for when that’ll happen.
Kansas officials are calling a massive computer outage that’s kept most of the state’s courts offline for two weeks a “security incident” and, while they had not provided an explanation as of Wednesday, experts say it has all the hallmarks of a ransomware attack.
2022
State Bar of California
Profile data (specifically, case numbers, file dates, case types, case status, and respondents and complainant names) on about 260,000 nonpublic State Bar attorney discipline case records was compromised.
State Bar discovered breach on 2/24/2022.
State Bar notes that confidential court records from other jurisdictions also appear to have been compromised by same vulnerability in system.
Security vulnerability in Tyler Technologies Odyssey case management portal allowed the nonpublic records to be swept up by judyrecords when they attempted to access public records.
Records were available on the judyrecords site from October 15, 2021 to February 26, 2022.
UNKNOWN: whether hackers and other data aggregators have been able to access nonpublic records due to same security vulnerability.
News articles regarding the incident are available here:
Data Breach Updates (ca.gov) – 2022
State Bar of California – Data Breach Updates (see starting on 3/15/2022)
State Bar of California Addresses Breach of Confidential Data – The State Bar of California – News Releases – 2/26/2022
UPDATE: As of late Saturday, February 26, 2022 it appears that all State Bar records, confidential and public, have been removed from the site, with a note confirming this on the site. We are continuing to investigate.
What Happened With Tyler Technologies – judyrecords – (CA)
Judyrecords site operator provides detailed account of the nature of the security incident and explains how the incident occurred through a security design flaw in the Tyler system, which failed to perform any access control check before allowing user access to confidential records.
Data Harvest Information (tylertech.com) – Updated May 3, 2022
Information on Odyssey Portal Data Harvesting by Tyler Technologies
2021
How Secure are the Systems that Contain Very Personal and Sensitive Information?
In 2021, the American Bar Association published an article by Judge Herbert B. Dixon Jr. (Ret.) called, “The Court Has Been Hacked! It can be found at this link:
Then, there will be several empty blocks before we put in the Spoiler.
SPOILER: the article was a fictional account: The “article is intended as a wake-up call to our readers who have not thought seriously about threats to a court’s IT infrastructure. This narrative was intended to give readers a sense of what a worst-case scenario might look like from the inside and to visualize a ransomware attack on your court.”
In 2022, the ABA published a follow up entitled “Response to ‘The Court Has Been Hacked!'” to remind readers that cyberthreats are real and cyber incidents are inevitable. https://www.americanbar.org/groups/judicial/publications/judges_journal/2022/winter/response-the-court-has-been-hacked/
None of this should have been a surprise to court judiciaries or court administrators because security/cyber incidents have been a risk and reality since courts began using technology to process information.
For example, in 2020, David Slayton, the State Court Administrator in Texas wrote an article, entitled “Contracting the Virus: Not if, but when” discussing a ransomware attack during which “the appellate courts’ case management system was completely disabled, and related technology systems prevented the courts from receiving appellate records. By contrast, the attack did not seem to impact cloud-based technology solutions.” “Although the courts of appeals’ data was backed-up both on-site at the court of appeals and at OCA. Most of those backups had some level of corruption.” https://judicature.duke.edu/wp-content/uploads/2020/12/Slayton_Fall2020.pdf
According to Tim Starks of Politico:
Five similar attacks took place “since 2019, coinciding with the rise in ransomware attacks on governments in the U.S. in general. Some local courts have also been swept into broader attacks on municipalities, like in the 2018 ransomware attack against Atlanta. The two since the pandemic have been the May attack in Texas and another in June, when ransomware hit the Probate Office in Tallapoosa County, Ala.”