Could your organization live without its tax software for a few days at this time of year? Accounting firms using Wolters Kluwer’s CCH cloud platform found out what it would be like.
An outage of CCH Axcess, the cloud-based tax preparation and compliance and workflow management solution, began on Monday, May 6, after the discovery of malware. Some services were restored by Wednesday, but others were still not fully back up and running on Friday morning.
While Wolters Kluwer restored network and access services for CCH Axcess on Wednesday, according to an online post from a CCH Axcess product manager, 24 hours later the company said it was still in the process of scanning, testing, and restoring other parts of the cloud-based suite.
Tax form e-filing, links to chat support, the Globalfx app, and the CCH Knowledge Base of articles and news would be the last pieces of the platform to be restored, Wolters Kluwer said. While e-filing capabilities were partly restored by Friday, some users were still encountering difficulties, according to posts on the social media platform Reddit.
Some users also indicated that they had not heard from CCH product support or their account managers this week. Some support websites were also offline.
Many users were particularly concerned about the inability to access CCH’s electronic tax filing system.
“It’s now day four with lots of [tax] returns here I am supposed to have e-filed and can’t,” posted one user at 3 p.m. Eastern time on Thursday, May 9. “Taxpayers are racking up late payment interest charges that they will likely look to me to cover.”
Another preparer pointed out that their firm needed to upload or release tax returns by May 15, and asked if Wolters Kluwer had notified the Internal Revenue Service so that clients could get a deadline extension.
“I will hate to re-key returns that are already uploaded [and] ready to be submitted on another software system … but if you would be honest and tell us you don’t know if you will be up by May 15, we will do that.”
Another user wrote that the entire incident had been “extremely troubling and sobering to say the least.” The firm had just converted to CCH Axcess last fall. “To think this was ever a possibility gives our firm great pause,” the poster wrote.
The outage began on Monday when Wolters Kluwer said its monitoring system alerted it “to technical anomalies in a few of our applications and platforms.” At the same time, between the hours of 8 a.m. and 10 a.m. Eastern time, accountants across the country started realizing the Axcess CCH products weren’t working. Many firms first thought the company was installing a maintenance update.
“It’s now day four with lots of [tax] returns here I am supposed to have e-filed and can’t.”
Wolters Kluwer said it immediately started investigating and detected the installation of malware. It then took many of the platforms and applications offline to protect customers’ data and isolate the malware attack.
Taking down the systems, however, also “impacted our communication channels and limited our ability to share updates” with users, Wolters Kluwer admitted.
While Wolters Kluwer has said it found malware installed on some of its systems, as of Thursday the company said it had not found any indication that users’ data had been compromised or that there was an ongoing risk to customers’ data. Regardless, the company said it had notified law enforcement.
There was lots of speculation online as to the nature of the malware attacks.
“They hired incident responders and forensic folks to help respond and recover,” said Dr. Wes McGrew, director of operations at HORNE Cyber, a security testing unit of CPA firm HORNE. “Presumably at the conclusion of the investigation, they will have some breach notification to customers to let them know what their exposure is,” if any.
The extended systems downtime should cause some firms to re-examine the level to which they are trusting cloud providers to secure business-critical software, McGrew suggested.
“Do you want to have an entirely different service provider as a backup or have something in-house?” asked McGrew, a frequent presenter at the DEF CON and Black Hat USA conferences and a trainer in digital forensics to law enforcement.
Systems security is hard to implement and resource-intensive, says McGrew, but when it’s put in the hands of the cloud service provider “the problem doesn’t go away, it just shifts.”
Customers need to ask for penetration tests reports from the vendor to ensure it is spotting security vulnerabilities ahead of time and remediating them, he added. “It’s no longer your problem but you have to make sure they know it’s their problem.”
Even penetration tests are not foolproof, however. Most cloud service providers are doing it, but there’s a lot of variation in test quality. “If fully automated, a penetration test can be less effective than if it’s done by a team of cyber operatives,” McGrew ways.
“For everything I have seen, the most effective means of identifying [vulnerabilities] is to test them in an adversarial fashion — to run a team of hackers against the system to find [weak points] before they are exploited for real.”
Nearing noon Eastern time on Friday, Wolters Kluwer had not issued a statement indicating whether its customer support systems were back online.