In a statement late last week, the D.C. Department of Insurance, Securities and Banking (DISB) confirmed it was notified by third-party software provider Tyler Technologies that it “has experienced a data breach related to securities data” a week after the LockBit claimed it attacked the regulatory agency and stolen 800GB of data.
The Washington, D.C., government agency, designed to protect consumers from abuses by financial institutions, confirmed that data stolen and leaked by the LockBit ransomware gang was taken from a third-party technology provider, Tyler Technologies, a public company that serves government agencies and schools around the world.
“Tyler Technologies discovered unauthorized access to their cloud that stores DISB’s STAR system client data,” DISB said, directing people to an alert from Tyler Technologies.
On April 13, the LockBit ransomware gang claimed it attacked DISB and stole 800GB of data. Then on Thursday evening Lockbit said that negotiations had broken down and it planned to leak 1GB of data in order to further push the organization into paying a ransom.
Tyler Technologies says it is currently “working to identify which individuals’ personally identifiable information (PII) may have been acquired by the threat actor.”
Emily Phelps, Director, Cyware had this to say:
“Third-party security attacks are common and represent a real cybersecurity risk. Organizations must not only protect their own environments but must also ensure their technology partners and agencies have effective security programs in place. By leveraging advanced threat intelligence and security orchestration, entities can improve their resilience against these ubiquitous cyber threats. This situation also highlights the importance of thorough due diligence and continuous monitoring of third-party vendors, particularly those handling sensitive data.”
Ted Miracco, CEO, Approov Mobile Security adds this comment:
“Tyler Technologies’ engagement with law enforcement and a cybersecurity firm is a step in the right direction, given that personal identifiable information (PII) was likely stolen. However, this situation exemplifies the risks associated with third-party vendors, as Tyler Technologies experienced unauthorized access that compromised DISB’s data. Any delays in public acknowledgment and response from either the DISB or Tyler Technologies reflect upon shortcomings in their incident response strategies. The fact that Tyler Technologies had immutable backups and was able to focus on recovery is commendable, as having robust data backup and recovery processes is vital in ransomware mitigation strategies. The bottom-line is that there are many problems with this breach and a few encouraging elements in the response.”
Another day, another supply chain attack. Sigh. At this point, you have to wonder when the madness will end, and organizations get serious about securing themselves and their partners.