Early in the afternoon on Friday, May, 3, I asked a friend to relay a message to his security contact at CCH, the cloud-based tax division of the global information services firm Wolters Kluwer in the Netherlands. The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.
Shortly after that report, the CCH file directory for tax software downloads was taken offline. As of this publication, several readers have reported outages affecting multiple CCH Web sites. These same readers reported being unable to access their clients’ tax data in CCH’s cloud because of the ongoing outages. A Reddit thread is full of theories.
I do not have any information on whether my report about the world-writable file server had anything to do with the outages going on now at CCH. Nor did I see any evidence that any client data was exposed on the site.
What I did see in those CCH directories were a few odd PHP and text files, including one that seemed to be promoting two different and unrelated Russian language discussion forums.
I sent Wolters Kluwer an email asking how long the file server had been so promiscuous (allowing anyone to upload files to the server), and what the company was doing to validate the integrity of the software made available for download by CCH tax customers.
Marisa Westcott, vice president of marketing and communications at Wolters Kluwer, told KrebsOnSecurity on Friday that she would “check with the team to see if we can get some answers to your questions.”
But subsequent emails and phone calls have gone unreturned. Calls to the company’s main support number (800-739-9998) generate the voice message, “We are currently experiencing technical difficulties. Please try your call again later.”
On Tuesday morning, Wolters Kluwer released an update on the extensive outage via Twitter, saying:
“Since yesterday, May 6, we are experiencing network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of an abundance of caution, we proactively took offline a number of other applications and we immediately began our investigation and remediation efforts. The secure use of our products and services is our top priority. we have ben able to restore network and services for a number – but not all — of our systems.”
Accounting Today reports today that a PR representative from Wolters Kluwer Tax & Accounting, which makes the CCH products, confirmed the outage was the result of a malware attack:
“On Monday May 6, we started seeing technical anomalies in a number of our platforms and applications,” the statement given to Accounting Today reads. “We immediately started investigating and discovered the installation of malware. As a precaution, in parallel, we decided to take a broader range of platforms and applications offline. With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates. On May 7, we were able to restore service to a number of applications and platforms.”
Accounting Today says the limited ability to share updates angered CCH users, many of whom took to social media to air their grievances against a cloud partner they perceive to be ill-prepared for maintaining ongoing service and proper security online.
“Despite CCH stating that a number of applications and platforms were up and running today, May 7, several users on a Reddit thread on the topic have stated that as of this morning in Florida, Maine, Texas, Pittsburgh and South Carolina, their CCH systems are still down,” Accounting Today wrote.
Special thanks to Alex Holden of Hold Security for help in notifying CCH.
Update, May 9, 10:26 a.m. ET: Updated this story to include the latest statement from Wolters Kluwer:
“On Monday May 6, our monitoring system alerted us to technical anomalies in a few of our applications and platforms. We immediately started investigating and detected the installation of malware. When we detected the malware, we proactively took a broad range of platforms, specifically including the CCH tax software applications, offline to protect our customers’ data and isolate the malware. The service interruptions our customers experienced are the result of our aggressive, precautionary efforts.”
“On May 7, we were able to begin restoring service to a number of applications and platforms. At this time, we have brought CCH Axcess, CCH SureTax, CCH AnswerConnect, and CCH Intelliconnect back online. Our process and protocols assure a high degree of confidence in the security of our applications and platforms before they are brought back online. We have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.”
“At this time, we have notified law enforcement and our investigation is ongoing. We regret any inconvenience this has caused, and we are fully committed to restoring remaining services as quickly as possible for our customers.”
I can’t believe that they are not sending out status updates to their clients. Every day I try to access their site and I can’t get in. Terrible service that they don’t communicate in some way with us. I can’t even get through by phone.
From what I have heard, their email and phones are all down too.
You can check for company updates using this link.
Personally I have several returns that have not been filed as a result
While the taxpayers are not aware of the issue – When should we start to inform them?? – Some are expecting refunds soon and or if money owed it is not being paid.
I am in the same boar, trying to decide when to start the panic or to just hold on
my may 15th returns are the immediate concern
Page 5 of Chapter 1 in the Electronic Filers Manual states near the bottom: You must inform your client accordingly if a delay is encountered in the submission of the EFILE return.
Page 5 of Chapter 2 in the Electronic Filers Manual states: You should inform your clients about any processing delay…
The Manual can be found at https://www.canada.ca/content/dam/cra-arc/formspubs/pub/rc4018/rc4018ch2-18e.pdf
Here is an update as of today with more detail from CCH: https://cbriancpa.com/2019/05/09/05-09-2019-wolters-kluwer-network-service-interruptions-update/
Wow, what a mess. A vendor who took responsibility for sensitive client data only to be hacked. Here is a lesson for all of us who promote our expertise and pledge to stand as trusted advisors. Let’s see how Wolter Kluwer makes this right.
scroll down…. this is the data they are after – https://wolterskluwer.com/products-services/our-portfolio/governance-risk-compliance.html
I don’t think the tax data is that valuable to bad actors since much of it is public information. It’s the data in OneSumX and other apps that can cause a lot of damage if leaked.
Banks, insurers and law firms really need to step up their third party risk assessment. They usually hire non-technical staff for their 2nd line of defense which is absurd… and the reason why this happens. Third party risk assessments need to go down to the chip and code level. Enough with these stupid spreadsheets. They are meaningless.
“I don’t think the tax data is that valuable to bad actors…”
Now that I think about it, it is a small miracle that nobody has yet managed to pull off any kind of hack and get hold of Trump’s taxes and then make those all public. That certainly would save everyone a lot of time and bother.
Russia, if you’re listening…
I was finally able to upload May 15 tax returns to the cch efile website.
Next problem is I am unable to log into the efile website, as the message states my password is invalid. apparently when I go to try and change the password by answering the security questions, i am now receiving a message of invalid response to every question I chose.
Am I to assume all of the passwords and security questions will now have to be reset on cch back end??
Everyone in my office was able to log into the efile system without any problems once it came online. No issues with passwords for us. You might to accessing it through the EFX button in PFX, if that’s the program you use. Or you can have your admin reset your password.
Scott, I’ve had no such password issues and have been able to e-file returns prepared on ProSystem fx since around 5:45 Mountain time today. Validation of the returns is still in progress which is probably understandable considering the volume of returns being uploaded.
Well, I hope all you accountants learn a lesson here about not entrusting your businesses to an open Internet. If KW can’t protect their own files and customers, you’re no safer.
Unplug your clients’ files from the Internet, before it happens to you.
Doctors, pharmacies, learn a lesson here, too.
What? You are living in the ancient past – I can see by your grammar and references (WK btw) and “all you accountants”? If you are not one don’t bother commenting – you are as much part of the problem as the hackers are.
Who are you to tell me to not comment? This is not a drum circle for accountants to whine about access problems. This is a security blog. Anyone can comment, unless the owner doesn’t want it done. And so far, he’s allowed us both to be here.
Instead of name-calling, you should focus on the facts you have (hopefully) learned here.
Importantly, your line of work is incredibly vulnerable and you rely too heavily on technology that was developed for convenience, not protecting your clients.
Well said, and I agree.
Thank you for you pointless point. Have a great day.
I am quite concerned about this. The communication is way to “at the bottom” for me. There should be a far easier way to communicate what and when we (Customers) can expect to be back doing business. I almost purchased my software for next year, but I am sincerely rethinking. I understand hacking happens, but in this case silence is anything but golden. #RefundsToday
maybe russians were trying to get to trumps return? I thought I would drop his name here since everything gets blamed on him.
my concern for webfiling tx franchise extensions – they dont give you a choice to file extension with payment to be paid later through txnet – it takes you directly to txnet to make a payment so extension is not complete. I filed a few with zero due and asked clients to go into txnet and pay in the amount.
This is strange: https://www.google.com/search?q=site:CCHsfs.com+inurl:txt
The cached file: http://webcache.googleusercontent.com/search?q=cache:PCnbdOF6A_4J:upd2010f.cchsfs.com/SFS_2011/r7-nxp47DB3B4630D6E7C1.txt+&cd=1&hl=en&ct=clnk&gl=us
“This file uploaded by Rapid7 NeXpose.”
Did they new about the issue ..?
I saw a ton of files and artifacts left behind by scanners like Burp and NeXpose, but it’s always possible the admin of the server ran these at some point and just never cleaned things up. In any case, it didn’t look good.
I suspect that after you showed them the link to the files that someone decided to open one of the files to see what it was… That would explain why it happened almost immediately after they received your email. Just a theory.
The cloud is where we are headed…so I don’t think we as accountants cannot disconnect. But what is really stunning with some of these products is the lack of a local back-up. I don’t use CCH, but I can tell you that Intuit does not provide a satisfactory local back-up for the cloud tax product. The breach is bad enough, but what happens when a cloud user loses 3 or 4 years of work, for an entire firm? Local backups, please!
EDIT: …. so I don’t think we as accountants CAN disconnect.