The investigation is ongoing. We have no evidence that the STAR system was specifically targeted.

We have confirmed evidence that the threat actor acquired information from the system. We are working with third-party cybersecurity forensic experts to identify the full impact.

As of April 18, the threat actor published information they claim was acquired from the STAR system.

We have no evidence of spillover impact to any other Tyler products or environments.

This system was hosted in an isolated environment and not in Tyler’s AWS Cloud environment. We have no evidence of spillover impact to any other Tyler products or environments.

We continue to work with the third-party cybersecurity firm to determine what data may have been accessed.

Update April 18, 2024: We are working to identify which individuals’ personally identifiable information* (PII) may have been acquired by the threat actor.

*PII is information that is unique to an individual and can be used alone or in combination with other information to identify someone. This may include, among other items, an individual’s social security number, date of birth, and driver’s license number.

Once we have identified which individuals’ PII may have been accessed, our legal team will work with our clients to notify affected individuals, as required by applicable law.

No.

We understand many people would like additional details regarding this situation. We sympathize with that interest; however, we are guided by the evidence that we have received from our third-party experts and are committed to addressing this incident in a secure and responsible way. That includes sharing information when it is validated and safe to do.

This page contains all currently available public information regarding this situation. If new information becomes available, we will provide the update here when it is safe and responsible to do so.

The State Regulatory Platform Suite was not affected by this security situation. The third party who contacted you does not represent Tyler and they did not contact us before sending their communication. The information they are providing may be inaccurate or incomplete. We apologize for any concern this may have caused and want to reassure you that if you did not hear from us, your system was not impacted.