22 Texas Municipalities (Coordinated Wave) Breach Analysis — Texas Breach Tracker

Incident Date

2025-10-01

Records Exposed

Unknown

Attack Type

Ransomware

Threat Actor

Unconfirmed

Incident Timeline

2025-10-01

First wave: 8 municipalities report simultaneous system outages
2025-10-03

Texas DIR and DPS CISA coordinating incident response across entities
2025-10-07

Second wave: 14 additional municipalities affected
2025-10-09

Collective $2.5M ransom demand delivered; all 22 entities refuse payment
2025-10-15

FBI involved; coordinated IR effort begins system restoration
2025-12-01

Most systems restored; CJIS access suspended for 6 entities pending FBI audit

Attack Vector Analysis

How they got in

Supply-chain style attack leveraging a shared municipal IT managed services provider. Initial access via compromised MSP credentials; single pivot enabled simultaneous lateral movement across all 22 client networks. CJIS-connected systems affected, triggering FBI notification requirements.

What CoreRecon Would Have Caught

Sentinel / Fortress / Command coverage

Sentinel Anomalous MSP credential usage across multiple client networks simultaneously would trigger cross-client correlation alert within minutes

Sentinel SIEM rules for CJIS-adjacent system access from unusual source IP — real-time alert before lateral movement completes

Fortress Privileged access management: MSP vendor access via just-in-time provisioning eliminates standing credential risk

Command vCISO supply-chain risk assessment would have flagged shared MSP as single point of failure — contractual IR obligations and segmentation requirements added before attack

Sentinel ($89/ep/mo) — 24/7 SOC + SIEM. Fortress ($109/ep/mo) — Sentinel + EDR management + vulnerability management. Command ($129/ep/mo) — Fortress + vCISO + compliance mapping + IR plan. See full tier comparison →

Compliance Failures Mapped

Regulatory exposure

Regime	Standard / Citation	Gap Identified
CJIS	CJIS SP v6.0 §5.13	Third-party vendor access controls — MSP lacked CJIS-compliant access provisioning
CJIS	CJIS SP v6.0 §5.3	Incident response — no documented IR plan for municipal IT; FBI notification delayed
TDPA	Tex. B&C Code §521.053	Breach notification obligations triggered for citizen PII across multiple municipalities

How to Not Be Next

5-point hardening list

1

Require CJIS Security Addendum from all IT vendors with access to systems touching criminal justice data
2

Implement just-in-time vendor access provisioning — no standing admin credentials for MSPs or third parties
3

Network segmentation: CJIS-connected systems isolated from general municipal IT on separate, monitored VLAN
4

Cross-entity IR plan with documented notification chain — FBI, Texas DIR, AG — tested annually via tabletop
5

Vendor risk assessment program: annual security review of all MSPs with network access

Source Citations

CoreRecon cites verifiable public sources only. No speculation on unverified attribution is published. Threat actor attribution appears only where publicly confirmed by law enforcement or the organization.

More Municipal Incidents

Is your organization hardened against this attack vector?

Free $2,500 security posture assessment for Texas organizations. We map your gaps against the same attack vectors used in this incident. No contract, no commitment.

Request Free Assessment ← Full Tracker

22 Texas Municipalities (Coordinated Wave)Breach Analysis

How they got in

Sentinel / Fortress / Command coverage

Regulatory exposure

5-point hardening list

Is your organization hardened against this attack vector?

22 Texas Municipalities (Coordinated Wave)
Breach Analysis