Tyler Technologies, one of the largest vendors of IT services to local governments, said Wednesday it was the victim of an incident that disrupted its internal network and phone systems.
The company has not explicitly described the event, attributing it only to “an unknown third party.” It is also not known what the impact is on Tyler’s thousands of local-government customers, which use the company’s software for everything from enterprise resource planning, managing open-data programs, scheduling court hearings, collecting fines and bill payments and sharing election data.
The company’s main corporate website has also been deactivated and replaced with a message that it is “working to bring the site back online.”
A memo Tyler sent to its clients Wednesday afternoon stated it has “no reason to believe that any client data, client servers, or hosted systems were affected.”
“Early this morning, we became aware that an unauthorized intruder had disrupted access to some of our internal systems. Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem,” read the statement from Tyler Chief Information Officer Matt Bieri.
Bieri added the company has has notified law enforcement and engaged third-party IT security and forensics investigators.
Tyler, based in Texas, has been on an upswing financially. The company reported 6% growth in the second quarter 2020, and last year recorded more than $1 billion in revenue for the first time in its history. It’s also been on a bit of an acquisition streak of civic-tech firms, with recent purchases including open-data software firm Socrata, police reporting software SceneDoc and juror-management system Courthouse Technologies.
Although the Tyler hack has not been described as ransomware, it could potentially expose the company’s customers to that type of threat, said Mike Hamilton, a former chief information security officer for the City of Seattle.
“They had bad guys inside their network,” said Hamilton, who is now a cybersecurity consultant to city and county governments, including Tyler customers.
Hamilton added that Tyler’s support technicians often have remote access to customers, allowing them to “go in and out of their systems with impunity.”
More distressingly, Hamilton said, is that one of Tyler’s enterprise resource planning platforms, known as Munis, does not support multi-factor authentication, suggesting that any credentials stolen by the actor that breached Tyler could potentially be used to plant ransomware on clients’ networks if left unchanged.
“If they had any password storage in there and it wasn’t encrypted, that’s what I’m afraid of,” he said. “Someone has lifted the keys to plant bombs in counties.”
Hamilton said he was especially concerned about potential impacts on counties that use Tyler software to manage election data, although the company does not manufacture software used for election administration. (Some of the case studies in the marketing for its data-management tools cite sharing of campaign-finance information.)
Federal intelligence and cybersecurity officials have warned that websites where counties post unofficial election-night tallies are ripe targets for ransomware or defacement hacks, with the potential to sow chaos about election results. County officials have also been getting briefings about toughening up their ransomware defenses.
Hamilton recommended that Tyler customers do a hard reset of passwords the company’s technicians use to access end users’ systems.
“If you’re a Tyler customer, lock out their log-ins,” he said.