Published Date: 2020-09-24
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in September 2020 [105097, 107573, 105812, 105059, 105819, 105096]. |
| System | 1. Tyler Technologies' internal network and phone systems [105096, 105812] 2. Socrata dashboard software used by some election officials to aggregate and share election results [105812] |
| Responsible Organization | 1. Unknown [105097, 107573, 105812, 105059, 105819, 105096] |
| Impacted Organization | 1. Tyler Technologies [105097, 107573, 105812, 105059, 105819, 105096] |
| Software Causes | 1. Ransomware attack on Tyler Technologies' internal systems [105097, 107573, 105812, 105059, 105819, 105096] |
| Non-software Causes | 1. The failure incident was caused by an unknown third party hacking into Tyler Technologies' internal systems, leading to unauthorized access to their phone and information technology systems [105819]. 2. The hackers used ransomware to encrypt company files and demanded payment to decrypt them [105096]. 3. The attack was part of a wider trend of ransomware attacks targeting state and local governments, with Tyler Technologies being one of the victims [107573]. 4. The attack on Tyler Technologies was part of a series of ransomware attacks on various entities, including the Texas Department of Transportation, indicating a broader trend of such attacks [105059]. |
| Impacts | 1. Some customers of Tyler Technologies reported suspicious logins following a ransomware attack, prompting the company to urge clients to reset passwords used by Tyler staff to access customer versions of its software [105097]. 2. Tyler Technologies confirmed that an unknown party had hacked its internal systems, leading to unauthorized access to internal phone and information technology systems [105819]. 3. The ransomware attack on Tyler Technologies had no impact on the software hosted for clients, as the malicious software used by the intruder was contained within the company's internal corporate network and phone systems [105096]. 4. The attack raised concerns among local officials due to the potential risk of the hacker using Tyler's administrative access to breach local versions of its programs, such as those used for dispatching emergency responders [105096]. |
| Preventions | 1. Implementation of robust cybersecurity measures such as regular security audits, penetration testing, and intrusion detection systems could have helped prevent the software failure incident [105097, 107573, 105812, 105059, 105819, 105096]. 2. Enforcing strong password policies, including the use of two-factor authentication, could have enhanced the security of the systems and prevented unauthorized access [105812, 105819]. 3. Timely software updates and patches to address known vulnerabilities could have mitigated the risk of exploitation by hackers [105097, 107573, 105059]. 4. Improved employee training on cybersecurity best practices and awareness of potential threats could have reduced the likelihood of successful phishing attacks or social engineering attempts [105097, 107573, 105819]. 5. Enhanced monitoring and logging of system activities could have provided early detection of suspicious behavior and unauthorized access attempts [105097, 107573, 105059]. 6. Implementing data backup and disaster recovery plans could have minimized the impact of ransomware attacks by allowing for the restoration of systems and data without paying the ransom [105059, 105096]. |
| Fixes | 1. Implementing stronger cybersecurity measures, such as two-factor authentication, to prevent unauthorized access to systems [105812]. 2. Conducting a thorough investigation to identify the extent of the breach and any potential data theft [105096]. 3. Resetting passwords for all systems accessed by Tyler staff as a precautionary measure [105812]. 4. Enhancing monitoring and detection capabilities to identify and respond to future security incidents promptly [105096]. 5. Collaborating with law enforcement agencies like the FBI to investigate the incident and potentially track down the perpetrators [105097, 105059]. 6. Ensuring that client data and hosted systems remain secure and segregated from internal corporate networks [105812, 105096]. 7. Cooperating with security specialists to assess and improve the overall security posture of the organization [105096]. | References | 1. Tyler Technologies [105097, 107573, 105812, 105059, 105819, 105096] 2. FBI [105097, 107573, 105812, 105059, 105819, 105096] 3. Department of Homeland Security [105097, 107573, 105812, 105059, 105819, 105096] 4. Reuters [105097, 105819, 105096] 5. Associated Press [105059] 6. CI Security [105812] 7. Mike Hamilton [105812] 8. Brett Callow [105059] 9. Frank Bajak [105059] 10. Raphael Satter [105819] 11. Stephen Coates [105819] 12. Leslie Adler [105819] 13. Joseph Menn [105097, 105819, 105096] 14. Christopher A. Wray [107573] 15. Mark Meadows [107573] 16. Dan Wallach [105059] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident has happened again at Tyler Technologies. The company experienced a ransomware attack, with the hacker gaining unauthorized access to its internal systems [Article 105819]. Tyler Technologies had previously reported a ransomware attack incident, where some of its customers reported suspicious logins following the hack [Article 105097]. (b) The software failure incident has also occurred at other organizations. A Texas company that sells software for election night results was hit by ransomware, similar to the attack on Tyler Technologies [Article 107573]. Additionally, the Texas Department of Transportation was also hit by ransomware, possibly with the same ransomware that affected Tyler Technologies [Article 105059]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the incident involving Tyler Technologies being hacked with ransomware. The incident was attributed to an unknown party hacking into Tyler's internal systems, leading to unauthorized access to their internal phone and information technology systems [Article 105819]. This breach was a result of a security incident involving unauthorized access to their internal systems by a third party, indicating a failure in the design or implementation of their security measures. (b) The software failure incident related to the operation phase can be observed in the incident where Tyler Technologies confirmed that it was hit by a ransomware attack. The attack compromised the company's phone and information technology systems, leading to the use of ransomware by the intruder [Article 105059]. This indicates a failure in the operation or management of the systems, allowing the ransomware attack to occur and potentially impact the company's operations. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident involving Tyler Technologies was due to contributing factors that originated from within the system. Tyler Technologies confirmed that the hacking attack against it used ransomware, which encrypted company files [Article 105096]. The attack was described as a "security incident involving unauthorized access to our internal phone and information technology systems by an unknown third party" [Article 105819]. Tyler Technologies stated that the impact of the incident was limited to its internal corporate network and phone systems, with no impact on the software hosted for clients [Article 105819]. Additionally, the company mentioned that the malicious software used by the intruder was ransomware and that the incident did not affect the software hosted for clients [Article 105096]. (b) outside_system: The software failure incident was also influenced by factors originating from outside the system. The attack on Tyler Technologies was carried out by an unknown party who hacked its internal systems [Article 105819]. The FBI and the U.S. Department of Homeland Security warned about foreign hackers attempting to access and alter websites reporting election results, which could be a potential target for hackers seeking to interfere in the presidential election [Article 105819]. The incident raised concerns among local officials due to the potential impact on election-related sites and the possibility of hackers using Tyler's administrative access to breach local versions of its programs [Article 105096]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software vendor Tyler Technologies reported suspicious logins and a hack with ransomware affecting its internal network, leading to concerns about potential data encryption and demands for payment [Article 105097]. - Tyler Technologies confirmed that the hacking attack against it used ransomware, encrypting company files and demanding payment to decrypt them, with the impact limited to its internal corporate network and phone systems [Article 105096]. (b) The software failure incident occurring due to human actions: - Tyler Technologies urged clients to reset passwords that Tyler staff would use to access customer versions of its software after reports of suspicious logins, indicating potential vulnerabilities introduced by human actions [Article 105097]. - Cybersecurity experts recommended that counties reset passwords used to log into Tyler's systems as a precaution, highlighting concerns about potential access by hackers due to stored passwords and lack of two-factor authentication [Article 105812]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - There is no specific mention in the provided articles about the software failure incident occurring due to contributing factors originating in hardware. Therefore, there is no information available to support this option. (b) The software failure incident occurring due to software: - The software failure incident reported in the articles is attributed to ransomware attacks on Tyler Technologies' internal systems, leading to unauthorized access and encryption of company files [Article 105097, Article 107573, Article 105812, Article 105059, Article 105819, Article 105096]. This incident is a result of contributing factors originating in software, specifically the ransomware used by the hackers to encrypt the company's files. |
| Objective (Malicious/Non-malicious) | malicious | (a) The objective of the software failure incident was malicious: - Tyler Technologies reported that it had been hacked with ransomware, where an unknown party had hacked its internal systems [105819]. - Tyler Technologies confirmed that the intruder used ransomware in the attack [105059]. - The attack against Tyler Technologies used ransomware, which encrypts company files and demands payment to decrypt them again [105096]. - The ransomware attack on Tyler Technologies was particularly concerning as it occurred less than 40 days before the election and could potentially disrupt election-related systems [107573]. (b) The objective of the software failure incident was non-malicious: - Tyler Technologies stated that the impact of the incident was limited to its internal corporate network and phone systems, with no impact on the software hosted for clients [105819]. - Tyler Technologies mentioned that none of its products were involved in managing elections, indicating that the incident did not directly affect election-related systems [105812]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident: - The software failure incident involving Tyler Technologies was due to a ransomware attack [105097, 107573, 105812, 105059, 105819, 105096]. - Ransomware is a type of malicious software that encrypts files and demands payment in exchange for decryption. - The attackers used ransomware to encrypt company files and demanded payment to decrypt them. - The attack was aimed at Tyler Technologies' internal systems, leading to concerns about potential data breaches and disruptions. - The ransomware attack was likely financially motivated, as ransomware purveyors seek payouts from victims to unlock encrypted data. - The incident raised concerns about the security of election-related sites and the potential for disruption in reporting election results. - The attack was a deliberate act by an unknown party to compromise Tyler Technologies' systems and potentially gain access to sensitive information. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The software vendor Tyler Technologies reported a hack with ransomware, leading to suspicious logins in client systems [105097]. - Tyler Technologies confirmed that the hacking attack used ransomware, encrypting company files and demanding payment to decrypt them [105096]. (b) The software failure incident occurring accidentally: - Tyler Technologies acknowledged being hit by a ransomware attack, but did not provide further details on its response, citing an ongoing investigation [105059]. - Tyler Technologies confirmed that the impact of the incident was limited to its internal corporate network and phone systems, with no impact on software hosted for clients [105096]. |
| Duration | temporary | The software failure incident reported in the articles appears to be temporary. The incident involved a ransomware attack on Tyler Technologies, a major U.S. provider of software services to state and local governments, including election-related systems. The attack compromised Tyler's internal systems, leading to unauthorized access by an unknown third party [Article 105819]. Tyler confirmed that the hacker used ransomware to encrypt company files but stated that the impact was limited to their internal corporate network and phone systems, with no impact on the software hosted for clients [Article 105096]. The incident prompted Tyler to notify law enforcement, bring in security specialists, and work on restoring its systems [Article 105819]. |
| Behaviour | omission, other | (a) crash: The articles do not specifically mention a crash as the behavior of the software failure incident. (b) omission: The software failure incident involved an omission where the system omitted to perform its intended functions at an instance(s). Tyler Technologies confirmed that the hacker only reached internal networks, and the attack had no impact on the software it hosts for clients [Article 105096]. (c) timing: The articles do not specifically mention timing as the behavior of the software failure incident. (d) value: The software failure incident did not involve the system performing its intended functions incorrectly. (e) byzantine: The software failure incident did not involve the system behaving erroneously with inconsistent responses and interactions. (f) other: The software failure incident involved a ransomware attack where the hacker encrypted company files and demanded payment to decrypt them again [Article 105096]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure - Tyler Technologies reported a ransomware attack where the hacker encrypted company files and demanded payment to decrypt them [Article 105096]. - The attack on Tyler Technologies raised concerns about the potential impact on election-related sites and adjacent computer networks [Article 105059]. - The ransomware attack on Tyler Technologies could have allowed hackers to access customers' passwords stored on its network, potentially penetrating their systems [Article 105812]. - Cybersecurity experts mentioned that ransomware purveyors are increasingly stealing valuable data before demanding payouts, threatening to make the stolen data public if the victim doesn't pay up [Article 105059]. - The ransomware attack on Tyler Technologies could have led to the siphoning out of valuable data before scrambling them and demanding payouts [Article 105059]. |
| Domain | information, government | (a) The failed system was intended to support the production and distribution of information. Tyler Technologies provides software services to local governments, including programs to dispatch police in emergencies and to display local information, including election results [105097]. Tyler Technologies' platforms are used by elections officials to display voting results, among other tasks [105819]. (l) The failed system was also related to the government industry. Tyler Technologies provides software services to local and state governments for various functions, such as jail and court management systems, payroll, human resources, tax and bill collection, and land records [105059]. The company's products are used by U.S. states and counties to share election data, and the software is used by election officials to aggregate and report election results in at least 20 places around the country [107573]. |
Article ID: 105097
Article ID: 107573
Article ID: 105812
Article ID: 105059
Article ID: 105819
Article ID: 105096