The U.S. federal judiciary has confirmed that its case management (CM) electronic case filing (ECF) system—the CM/ECF and PACER backbone—was breached in a sophisticated cyberattack. While public filings are part of the court’s open nature, sealed records were exposed. Those include information that could identify confidential informants, sealed indictments, and warrants; material that could put people at risk, derail investigations, or reveal law enforcement strategy.
Although federal court leadership has avoided naming the culprit, signs point toward a nation-state–affiliated advanced persistent threat (APT). The target profile fits: sealed judicial records are a high-value source of intelligence for foreign adversaries and organized crime.
This isn’t the judiciary’s first brush with compromise. A 2020 breach, separate from the SolarWinds incident, also exposed weaknesses in CM/ECF. That event resulted in the courts halting electronic filing for “highly sensitive documents” entirely. The 2025 incident is bigger, more coordinated, and a direct challenge to the trust and operational security of the justice system.
And while this happened in the courts, the implications stretch far beyond the judiciary. For state and local government leaders, the breach is another proof point: if your systems hold sensitive data, they’re in scope for the same caliber of attack.
CJIS Implications: The Real Target Is CJI
For many in public safety, the natural question is, “Was CJIS compromised?” There’s no evidence that the FBI’s III or NCIC systems were accessed. But this breach still squarely targeted Criminal Justice Information (CJI) - the broader category of sensitive data used across courts, law enforcement, and justice partners.
While CJIS policy is the compliance baseline, many states and municipalities wisely paint with a broader brush to protect all CJI, not just what’s explicitly covered. That means extending CJIS-level controls to court records, warrants, or investigative files that, if exposed, would undermine investigations or endanger individuals.
Despite recent improvements like mandatory MFA for CJIS access, a key risk remains: if compromised systems can interface with CJIS-managed systems—like a sealed affidavit repository feeding into law enforcement databases—a lateral compromise is possible.
Weak application security or business logic abuse could allow an attacker to bypass MFA entirely. That’s not a theoretical threat; it’s a reminder that the fundamental security of the collective ecosystem depends on the strength of every connected system.
If CJI Can Be Compromised, Other Sensitive Data Is Fair Game
The breach should be a wake-up call not just for those who handle court or law enforcement data, but for any agency holding protected information. If attackers can compromise a system containing CJI, they can just as easily target those holding:
- IRS 1075-protected data (federal tax information)
- MARS-E 2.0-covered systems (Medicaid and Affordable Care Act data)
- HIPAA-regulated records (healthcare and mental health data)
- Other compliance-driven systems with sensitive citizen data
The breach is a reminder that compliance frameworks are useful, but attackers don’t care which acronym you operate under—they care about the value of the data.
Broader Risks Across the Public Sector
This attack happened in a court system, but the underlying challenge is one every state and local government knows well: public-facing systems must be secure while still serving constituents.
Courts, agencies, and municipalities all maintain services that need to be accessible to the public: case lookups, permit applications, tax payments, benefits portals. These systems often connect to or interact with internal networks and databases.
The reality:
- Most public sector entities manage a wide scope of responsibilities on tight budgets.
- Many are running vendor-hosted systems they don’t fully control.
- Constituents expect 24/7 access, which increases exposure time for any vulnerability.
The lesson isn’t that every court-like system is doomed, it’s that daily operational realities make vigilance non-negotiable.
Strengthening Cyber Defenses: Practical Moves for Public Sector Leaders
Modernize Legacy Systems (If You Can, But Do It Right)
Upgrading legacy systems is important, but it’s rarely simple. Many critical platforms are vendor-hosted, and negotiating contract changes can be slow. Even when approved, staffing and opportunity costs are high.
If modernization is on your roadmap, follow through, but inspect the security of the replacement. It’s a waste to migrate from an insecure legacy system to a new insecure system with a nicer interface.
If you can’t upgrade, start with a proper penetration test. Identify exploitable weaknesses, then push those signatures into your firewall or web application firewall to buy time until you can patch.
Implement Zero Trust (But Know the Lift)
Zero Trust sounds great. It's like saying, “if you want to fix your car, just buy one that never breaks down.” In practice, it’s a big lift. Most agencies still run discretionary access control models, while Zero Trust requires role-based access control and systems capable of enforcing it.
If you can implement it, do. But recognize it’s an architectural shift, not just a checkbox.
Require MFA Everywhere
Keep it simple: all privileged accounts and any access to sensitive systems should require multi-factor authentication. Where possible, use phishing-resistant methods like hardware tokens.
Harden Endpoint and Application Security
Patch management and EDR coverage are table stakes, but don’t stop there. Include business logic exploits in penetration tests; attackers often bypass security controls not by breaking encryption, but by abusing the way an application handles requests.
Check Your Third-Party Hosting Contracts
If your systems are vendor-hosted, now’s the time to review contract language around security responsibilities. If it’s vague, start the conversation.
Ask vendors:
- How do they harden and secure hosted systems?
- Do they conduct penetration testing (and can you see the reports)?
- Are they passing off a simple vulnerability scan as a “pen test”?
Making it explicit that they are responsible—and holding them to that standard—is part of protecting your agency.
Resilience Requires a Collective Lift
The breach of the federal courts isn’t just a judiciary problem, it’s a government-wide reality check. CJI was the target here, but swap in IRS 1075, MARS-E, or HIPAA, and the same principles apply. Sensitive data is sensitive data, and if it has value to adversaries, it’s at risk.
Public sector leaders can’t always swap out old systems overnight, but they can test them, monitor them, lock down access, and hold vendors accountable. They can prioritize fixes for the most exploitable weaknesses and ensure the systems that connect across agencies aren’t the weakest link in the chain.
This incident reinforces a simple truth: the security of the whole depends on the security of each part. Protecting your agency’s systems protects not just you, but every partner and constituent who depends on you. That’s the collective responsibility—and the collective opportunity—of public sector cybersecurity.
Don't miss another article. Subscribe to our blog now.
.png?width=450&height=250&name=image%20(8).png)
