Tyler Technologies customers report suspicious logins after ransomware attack

The company is telling its local-government customers to revoke credentials used by its technicians for remote access.
(Getty Images)

Tyler Technologies told the local governments that use its software over the weekend to change the passwords that the company’s technicians use to remotely access clients’ systems, after multiple customers reported detecting “suspicious logins” to their networks following a ransomware attack last week against the civic tech vendor.

While Tyler continues to say the impact of the attack, reported last Wednesday, was directed at its internal systems and not its customers, the company updated its guidance Saturday following reports of unexpected access. It’s now advising users to revoke remote-access credentials.

“Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented,” a statement on Tyler’s website reads. “If clients haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.”

The public update followed a similar email message Tyler sent to its customers Friday night, after two of its customers reported suspicious logins.


And members of a Reddit forum for K-12 tech administrators wrote last week that they discovered installations of a remote-access client called Bomgar, which Tyler is known to use when servicing customers of its software, ZDNet reported.

Tyler’s new advice to reset the passwords used by its tech support staff follows a suggestion last week by former Seattle Chief Information Security Officer Mike Hamilton: “If you’re a Tyler customer, lock out their log-ins.”

The Tyler Technologies incident has been linked to the RansomExx malware, which has previously been seen in attacks on the Texas Department of Transportation and several other corporate victims.

News of a cyberattack against a major vendor of IT services to local governments has also set off a fresh round of alarm that election-related systems could be targeted by ransomware. While Socrata, one of Tyler’s open-data platforms, can be used to display election-result and campaign-finance data, the company does not make any software that is used in the voting process. The company also says that just a handful of clients use Socrata, which is hosted in an Amazon Web Services cloud rather than the company’s own servers, to display election data.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts