spacer module is 25px

Overview: Tyler Internal Systems Outage

Updated September 26, 2020, 12:30 a.m. CT

Tyler Technologies is in the process of responding to a security incident involving unauthorized access to our internal phone and information technology systems by an unknown third party. We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response.

Early in the morning on Wednesday, September 23, 2020, we became aware that an unauthorized intruder had disrupted access to some of our internal systems. Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem. That same morning, we engaged outside IT security and forensics experts to conduct a detailed review and help us securely restore affected equipment. We have implemented targeted monitoring to supplement the monitoring systems we already had in place, and we have notified law enforcement.

We have confirmed that the malicious software the intruder used was ransomware. Because this is an active investigation, we will not provide any additional specifics relating to our incident response or our investigation at this time.

Scope of Outage and Client Impact

Based on the evidence available to-date, all indications are that the impact of this incident was directed at our internal corporate network and phone systems. The environment where we host software for our clients is separate and segregated from our internal corporate environment. This includes our disaster recovery services.

Steps We Are Taking

We have activated targeted monitoring to supplement the monitoring services we already had in place, and we have detected no compromises in client systems that Tyler hosts. We are committed to completing a full forensics investigation and taking all appropriate actions in response to our findings.

Steps Our Clients Should Take

Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented. If clients haven't already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.

If your agency identifies any suspicious logins identified with Tyler user accounts, please notify us immediately at Security@tylertech.com.

Tyler clients can continue to log support incidents using the link to the online support portal on this page. If you need assistance specifically with a password reset, you can contact us through that support portal or email us at accthelp@tylertech.com.

Information and Updates

We will be posting updates on www.tylertech.com as our response continues. Please check here first for verified information. Our internal teams are doing their best to keep up with inquiries, but our website updates will represent the best source of current information we can provide at scale.

To Clients:
Update Regarding File Sharing and Other Interactions

Updated October 9, 2020, 10:00 a.m. CT

Our investigation and remediation efforts have reached the point where we have been cleared to resume certain file sharing activities, safe connection to our internal networks, and more normalized operational interaction with our clients. While certain limitations remain, our Tyler team members can securely resume interactions with our clients using tools that have been approved so far.

We have reached this point through the around-the-clock efforts of Tyler team members and the parallel efforts of our third-party providers who have been assisting us. That includes an independent, nationally recognized incident response provider who worked with us through the steps to reach this point. We are pleased that both our internal teams and our external partners agree that we can resume activities at this level.

Our recovery and remediation efforts are ongoing, as is our investigation. When additional recovery/remediation milestones are met and our investigation is complete, we expect to share additional updates.

Questions and Clarifications

Updated October 19, 2020, 8:00 a.m. CT

Addressing this incident is Tyler's highest priority. We are deploying every resource at our disposal, both internal and external, to take whatever steps are needed to return to business as usual. We are committed to doing that in a responsible, deliberate way, and we are laser-focused on those efforts. We value our partnerships with our client community, which we notified on the same business day that we ourselves learned of the incident. We will provide additional facts as they are confirmed, bearing in mind that this is still an active investigation that we must manage safely and securely. Please continue to check back here for updates as they are available.

We have confirmed that the malicious software used to disrupt our internal corporate network was ransomware. Given the sensitivities around the incident and our investigation of it, and our active cooperation with law enforcement, we are not at liberty to disclose additional details at this time.

Our investigation has reached the point where we are resuming more normalized operations internally and with our clients. We are taking a methodical, deliberate approach in reviewing and ensuring the security of each system and piece of equipment before clearing them for use. Our investigation is likely to take some time, which is typical for a security incident of this nature.

We have also restored full functionality of our website. As with other steps in this process, we have conducted a rigorous analysis of the site, including review by third-party experts. We will continue to provide updated incident-response information on our relaunched website.

We are taking the same methodical and deliberate approach we have taken over the course of our investigation. In addition to our recovery and remediation efforts, we have already implemented additional measures to layer onto the security protocols we had in place prior to September 23. Our approach includes supplemental software and managed services, along with recommended post-incident best practices.

Tyler's Online Services and Support teams have reviewed all the logs, monitoring, traffic reports, volume reports, and cases related to utility and court payments. There were no outages with any of our online payment systems and payment activity has functioned normally during this time.

Based on all of the evidence gathered to date through our around-the-clock response efforts, all information available to us continues to indicate that this incident was directed at Tyler's internal corporate environment and not the separate environment where we host client systems, which includes Tyler Disaster Recovery services. We have disconnected points of access between Tyler's internal systems and our client systems to further protect our clients. We have also enabled targeted monitoring of our corporate and hosted environments to supplement the monitoring we already had in place.

We have no reason to believe our financial, payroll or human resource information systems have been impacted. Tyler uses our Munis software — the same software used by many of our clients — for our internal financial management, as well as our payroll and HRIS functions. Munis is hosted outside of Tyler's corporate network, in the same environment where we host client systems. All evidence continues to indicate that this incident was directed at Tyler's internal corporate environment and not the hosted environment.

Based on all of the evidence gathered to date through our around-the-clock response efforts, all information available to us continues to indicate that this incident was directed at Tyler's internal corporate environment and not the separate environment where we host client systems. In addition, our Socrata platform is hosted offsite on AWS (Amazon Web Services), and our Tyler Federal (Entellitrak, Versa, CAVU, ACO, GA Courts, and DCM clients) and Tyler Detect cybersecurity platforms are maintained in entirely separate environments. There is no evidence of any impact on those environments whatsoever.

Tyler does not make election software. The Socrata open data platform is a Tyler product used to provide dashboards that display aggregated data from other sources. It is the only Tyler product that has any relation to election data and none of our Socrata data products support voting or election systems or store individual voting records. Users of our Socrata open data solution may use the platform to post election results, to promote transparency around campaign finance, or to post information on polling dates and locations. Very few Tyler clients enlist the application for this use.

Tyler's Socrata product is a SaaS data platform that is hosted offsite on AWS (Amazon Web Services), not on Tyler's internal network that was impacted. We have never had a report that a bad actor has used our Socrata platform to display incorrect or misleading election results, polling locations, campaign finance information, or other civic data.

After notifying clients of suspicious logins at two Tyler client sites early Saturday morning, September 26, we opened channels for clients to advise of suspicious logins on their networks. Of the limited number of reports received, we have no evidence of malicious activity on client systems to date. Each of the two reporting clients that prompted our notification has since cleared the reported activity. Please see this page for “Steps Our Clients Should Take” if you have specific concerns.

Software companies have many approved options for remote support connections. One used by Tyler, for example, is BeyondTrust, previously known as Bomgar, to provide secure, remote access to client environments. Clients have control of how, when, or if Tyler Support connects via BeyondTrust. Tyler does not automatically download BeyondTrust without a client’s knowledge, nor is Tyler aware of any unusual activity related to BeyondTrust.

As a rule, Tyler will never ask for your login credentials over email. If you receive a suspicious email, do not open any attachments, click on any links, or reply to the sender. We recommend you follow the directions from your local IT department regarding how to report a suspicious email to validate its authenticity. If you opened an attachment or clicked on a link within a suspicious email, we recommend that you immediately report the incident to your local IT department and follow their instructions.

If you would like to report a suspicious email that you believe originated from a Tyler team member, you can email security@tylertech.com. Please do not forward the suspicious email itself, unless otherwise advised by Tyler. Simply provide the date of the email, the name and email address the email came from, the email subject line, and a general description of the content of the email.

Phishing attempts and social engineering are an ongoing issue for businesses of all kinds. Emails may appear to come from contacts whose names and/or domains you recognize, and inquiries that appear benign, including phone calls from unverified contacts, may be attempts to gather information related to information security. Detailed guidance is available on the FTC website.

Tyler has been in contact with law enforcement and we are cooperating with them.

Tyler is being guided by standard incident response protocols and the advice of experts. Law enforcement has requested that we keep information about the variant confidential at this time. Tyler is committed to continuing to share accurate information and incident updates as our investigation continues. When we can safely disclose additional information, we will.

Tyler is regularly communicating with its clients and updating this page with information as it is available to share. We are cooperating with law enforcement, and any third-party vendor with factual knowledge about the specifics of the incident or our response to it is working with us under a confidentiality obligation; they will not be separately sharing details or discussing this incident publicly. It’s a good practice to educate yourself generally on security practices. That said, any third-party discussion of the details of our incident would be speculation.

No, Tyler has not directed third parties to contact our clients; nor have we provided names or contact information about our client base. Our investigation continues to confirm that the impact of this incident was directed at our internal corporate network and phone system.

We understand many people would like additional details regarding the incident we experienced. We sympathize with that interest; however, we are guided by standard incident response protocols and are committed to addressing this incident in a secure and responsible way. That includes sharing information when it is validated and safe to do.

Phone systems in all office locations are now fully operational. For other inquiries:

  • Support: Use the online support portal
  • Media: Email media.team@tylertech.com
  • General Security Topics and Inquiries: Use the Contact Us button at the top of this page and your question will be routed to the appropriate contact.
spacer module is 300px