DALLAS – A day after informing customers that it had been hacked by an unknown intruder, a major U.S. provider of software services to state and local governments —including posting election data online— said the impact appeared limited and there is no reason to believe its customers were affected.
Tyler Technologies' website remained offline Thursday, and questions sent to a media email address provided by a person who answered the phone at the company's headquarters near Dallas were not directly answered.
An updated statement on Tyler's webpage did not address whether ransomware may have been involved. But it did say that none of its products are involved in managing elections.
“Based on the evidence available to-date, all indications are that the impact of this incident is limited to our internal corporate network and phone systems, and that there has been no impact on software we host for our clients," the statement said." Our hosted environment is separate and segregated from our internal corporate environment.”
Tyler said it shut down access to external systems after discovering the breach early Wednesday, enlisted independent information technology experts and notified law enforcement.
The Texas Department of Information Resources said it could not comment because of an ongoing federal investigation. The FBI declined to comment.
On Thursday, Department of Homeland Security and FBI officials issued a new warning that election results reporting systems could be attractive targets for hackers seeking to interfere in the Nov. 3 presidential election. In addition to spreading disinformation, foreign actors and cybercriminals could seek to change existing websites.
A major concern is the hacking of election-related sites — or adjacent computer networks from which hackers could reach them — by profit-seeking ransomware purveyors.
Customers' use of Tyler products for election data reporting appears limited.
Nashville's information technology director said the city uses a Tyler “open-data” product, Socrata, to post unofficial election night results, among other uses. A spokeswoman for Ramsey County, Minnesota's second-largest, which includes the state capital of St. Paul, said it uses Socrata to report election results but does not post them until they have been certified. In both instances, the data comes from separate election authorities.
Tyler said Socrata data is hosted on Amazon Web Services, not on the network that was hacked.
The publicly traded S&P 500 company, provides software services for everything from jail and court management systems to payroll, human resources, tax and bill collection and land records. It also serves schools. Tyler says it has 5,500 employees and 1,500 customers in all 50 states and abroad.
A cybersecurity expert assisting municipalities that are Tyler customers, Mike Hamilton of CI Security, said he was concerned hackers may have obtained access to customers' passwords stored on its network and could penetrate their systems. Hamilton, a former chief information security officer for Seattle, said Tyler should be notifying customers to immediately reset all their passwords as a precaution.
“It’s completely possible that bad guys have been in there for a good amount of time,” he said.
Ramsey County spokeswoman, Allison Winters, said the Socrata platform is hosted remotely "and is entirely web based.” She said it does not, however, employ two-factor authentication for logging in by county employees— a serious cybersecurity deficiency that makes stealing log-in credentials easier.
Hamilton said Tyler's major product for municipalities, Munis, also lacks two-factor authentication.
Cybersecurity analysts speculated that Tyler was hit by ransomware, whose purveyors are increasingly breaking into company and government networks and siphoning out valuable data before scrambling them and demanding payouts. They threaten to make the stolen data public if the victim doesn’t pay up.
Brett Callow, an analyst with the cybersecurity firm Emsisoft, said Tyler may have been hit with the same ransomware that struck the Texas Department of Transportation, based on an encrypted file uploaded to the Google-owned malware identification service VirusTotal in June that included “tylertech" in the file name.
Data breaches often are not discovered until months after the fact, or until data is suddenly scrambled and a ransom demand issued.
Hanna Pickering, director of information technology in Portland, Maine, said the city uses Tyler platforms for payroll, permitting, city inspections, city planning and human resources, among other things. Those city functions have not been affected by the breach at Tyler, she said.
Pickering said she'd be more concerned if Tyler hosted the city’s information, but in Portland “our network protects our data.”
Bajak reported from Boston.