Critical Flaws in Government Systems Put Legal and Voter Data at Risk
A recent wave of cybersecurity disclosures has uncovered alarming vulnerabilities in the platforms that government agencies and courts rely on to manage sensitive public records and legal documents. These findings reveal critical security weaknesses that could allow attackers to access confidential information, manipulate legal filings, and compromise personal data across several key systems.
These systems play a critical role in the judicial process, managing everything from legal cases to public records on behalf of government agencies. However, beneath their essential functions, these platforms harbor vulnerabilities that could be exploited with ease — even by attackers with minimal technical expertise, thus underscoring the fragility of systems meant to safeguard our most sensitive public records.
Vulnerable systems seem to be the norm more than the exception. Vulnerabilities have been found in multiple different agencies responsible for many vital government services. Recently, flaws in Georgia’s voter registration cancellation portal exposed how easily malicious actors could exploit basic public information to cancel voter registrations, unfortunately typifying the scope of security weaknesses in public systems.
The Problem at a Glance
At the heart of the issue is weak permission controls and poor validation of user inputs, allowing attackers to gain unauthorized access to sensitive areas of the system. Many platforms rely on predictable user IDs or allow users to manipulate data fields thus granting themselves higher-level access. Once inside, attackers can view or even alter confidential records, including legal filings and personal data.
In Georgia, a serious flaw in the voter cancellation portal allowed attackers to submit cancellation requests using easily accessible information such as a person’s name and birthdate, bypassing necessary authentication steps. This vulnerability in a voter registration portal, much like those found in court systems, underscores how inadequate security measures can put citizens’ rights and personal information at risk.
Granicus GovQA, a platform used by government agencies for managing public records, demonstrated one of the more significant findings. Attackers were able to easily reset passwords without verifying a user’s identity and, more concerningly, could gain access to usernames and emails by simply manipulating web addresses. With this level of control, malicious actors could hijack accounts, change the ownership of sensitive public records, or lock legitimate users out of their own requests.
Similarly, Thomson Reuters’ C-Track eFiling system allowed attackers to elevate their user status to that of a court administrator. By manipulating certain fields during the registration process, attackers could gain privileged access to the system, potentially viewing or tampering with sensitive court data.
In various counties across Florida — including Sarasota, Hillsborough, and Monroe — weak access controls in court record platforms allowed attackers to access restricted court documents by guessing document IDs or manipulating session cookies. Compromised records included sealed documents, mental health evaluations, and witness lists, exposing private information that should have been securely protected.
A Broad Spectrum of Risk
The vulnerabilities discovered in these platforms reveal systemic security failures that span regions and vendors. For example, Arizona’s Maricopa County Superior Court eFiling system allowed attackers to exploit API endpoints and retrieve restricted legal documents. By simply guessing user IDs, attackers could access sensitive court filings, further exposing private legal matters.
Similarly, vulnerabilities in the Catalis EZ-Filing platforms, used in Georgia, South Carolina, and other states, allowed attackers to extract personal information such as names, addresses, and contact details. One version of the system even made it possible to access sealed court documents, including highly sensitive mental health reports, placing vulnerable individuals at risk.
Granicus eFiling allowed attackers to register as administrators and even allowed changing the ownership of legal documents, giving full control over entire case files. This potential for data manipulation raises serious concerns about the reliability of court systems and the legal process itself.
Georgia’s voter cancellation portal vulnerabilities further illustrate the gravity of these systemic issues. Just as attackers could manipulate legal documents, attackers could also cancel voter registrations with minimal effort, potentially disenfranchising voters without their knowledge. In these systems, basic security oversights threaten not only individual privacy but also the democratic process itself.
Far-Reaching Consequences
The vulnerabilities exposed in these platforms are more than just technical oversights — the serious and repeated nature of these vulnerabilities is undermining public trust in the corporations and institutions entrusted with managing our most sensitive legal and personal information. To quote Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, “We need to demand more of technology vendors.”
These platforms are supposed to ensure transparency and fairness, but are failing at the most fundamental level of cybersecurity. If a voter’s registration can be canceled with little effort and confidential legal filings can be accessed by unauthorized users, what does it mean for the integrity of these systems?
What Can Be Done?
Fixing these issues requires more than just patching a few bugs. It calls for a complete overhaul of how security is handled in court and public record systems. To prevent attackers from hijacking accounts or altering sensitive data, robust permission controls must be immediately implemented, and stricter validation of user inputs enforced. Regular security audits and penetration testing should be standard practice, not an afterthought, and following the principles of Secure by Design should be an integral part of any Software Development Lifecycle.
Furthermore, the widespread adoption of multi-factor authentication (MFA) could provide an additional layer of protection, preventing attackers from easily taking control of accounts. Ongoing training for IT personnel on the latest security practices is equally important, as is raising awareness among users about phishing risks and other common attack vectors.
This series of disclosures is a wake-up call to all organizations that manage sensitive public data. If they fail to act quickly, the consequences could be devastating — not just for the institutions themselves but for the individuals whose privacy they are sworn to protect.
For now, the responsibility lies with the agencies and vendors behind these platforms to take immediate action, to shore up their defenses, and to restore trust in the systems that so many people depend on.