In a scathing letter, Sen. Ron Wyden (D-Ore.) blasted the federal judiciary for its handling of a hack of the federal courts’ case management system earlier this year. It’s the second time in five years that this system has been hacked.

The letter to John Roberts, the Chief Justice of the Supreme Court, called for an independent review of the incidents - the first in 2020 and the second discovered in July 2025 - as well as the judiciary’s security practices and “mismanagement of its own technology.”

“The federal judiciary has repeatedly proven itself incapable of protecting the highly sensitive and confidential information with which it has been entrusted,” according to Wyden’s letter last week. “The federal judiciary’s current approach to information technology is a severe threat to our national security.”

The letter comes on the heels of media reports from earlier in August, which said that the case management system incident targeted documents related to criminal activity across eight district courts. The hack reportedly stemmed from weaknesses in the courts’ electronics filing system, which includes the CM/ECF (Case Management/Electronic Case Files), used by legal teams to upload case documents. According to Politico, the weaknesses in the filing system targeted by threat actors this year were similar to those exploited during the 2020 hack, and related to the way that users authenticate to CM/ECF.

Despite these hacks, the federal judiciary still does not mandate federal courts to meet certain cybersecurity requirements, said Wyden. That leaves the 94 federal district courts and 12 courts of appeals with varying levels of security measures - if any - they can choose to adopt. 

This speaks to an underlying challenge that may have exacerbated this type of hack: the way that security is managed by the Administrative Office of the U.S. Courts and across individual courts. When it comes to cybersecurity requirements, individual courts are given leeway and little guidance about the best practices to take, meaning that some courts haven’t opted to install security monitoring, according to Politico. That also applies to the CM/ECF system, which is reportedly run and managed autonomously by individual federal courts on their servers.

“These serious problems in the judiciary’s approach to cybersecurity have been able to fester for decades because the judiciary covers up its own negligence, has no inspector general and repeatedly stonewalls congressional oversight."

A review of this system by the General Services Administration led the entity to deem it “outdated” and “not sustainable.” Data that passes through the courts includes confidential information like national security documents, sealed criminal charges, and sensitive investigative documents.

This opens stark security gaps and also leaves the courts lagging when it comes to security best practices. While federal agencies have been required by federal law to use multi-factor authentication (MFA) since 2015 (and phishing-resistant MFA since 2022), for instance, the Administrative Office of the U.S. Courts only recently said it will require MFA for access to the case management system by the end of this year. Additionally, the requirements are for a weaker form of MFA, versus mandating the stronger alternative of phishing-resistant MFA.

“These serious problems in the judiciary’s approach to cybersecurity have been able to fester for decades because the judiciary covers up its own negligence, has no inspector general and repeatedly stonewalls congressional oversight,” said Wyden. “This status quo cannot continue.”

Wyden said the courts also did not respond to several questions he had sent after the 2020 hack, regarding how the incident had occurred and what data was accessed by attackers. 

In an announcement in early August, the federal judiciary acknowledged the hack and said that it is “taking additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system,” though it didn’t specify what security measures it was taking.

“The vast majority of documents filed with the Judiciary’s electronic case management system are not confidential and indeed are readily available to the public, which is fundamental to an open and transparent judicial system,” according to the federal judiciary. “However, some filings contain confidential or proprietary information that are sealed from public view.”

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.

  • Recent Posts

  • Recent Comments

    No comments to show.