Could your organization live without its tax software for a few days at this time of year? Accounting firms using Wolters Kluwer’s CCH cloud platform found out what it would be like.

An outage of CCH Axcess, the cloud-based tax preparation and compliance and workflow management solution, began on Monday, May 6, after the discovery of malware. Some services were restored by Wednesday, but others were still not fully back up and running on Friday morning.

While Wolters Kluwer restored network and access services for CCH Axcess on Wednesday, according to an online post from a CCH Axcess product manager, 24 hours later the company said it was still in the process of scanning, testing, and restoring other parts of the cloud-based suite.

Tax form e-filing, links to chat support, the Globalfx app, and the CCH Knowledge Base of articles and news would be the last pieces of the platform to be restored, Wolters Kluwer said. While e-filing capabilities were partly restored by Friday, some users were still encountering difficulties, according to posts on the social media platform Reddit.

CCHSome users also indicated that they had not heard from CCH product support or their account managers this week. Some support websites were also offline.

Many users were particularly concerned about the inability to access CCH’s electronic tax filing system.

“It’s now day four with lots of [tax] returns here I am supposed to have e-filed and can’t,” posted one user at 3 p.m. Eastern time on Thursday, May 9. “Taxpayers are racking up late payment interest charges that they will likely look to me to cover.”

Another preparer pointed out that their firm needed to upload or release tax returns by May 15, and asked if Wolters Kluwer had notified the Internal Revenue Service so that clients could get a deadline extension.

“I will hate to re-key returns that are already uploaded [and] ready to be submitted on another software system … but if you would be honest and tell us you don’t know if you will be up by May 15, we will do that.”

Another user wrote that the entire incident had been “extremely troubling and sobering to say the least.” The firm had just converted to CCH Axcess last fall. “To think this was ever a possibility gives our firm great pause,” the poster wrote.

The outage began on Monday when Wolters Kluwer said its monitoring system alerted it “to technical anomalies in a few of our applications and platforms.” At the same time, between the hours of 8 a.m. and 10 a.m. Eastern time, accountants across the country started realizing the Axcess CCH products weren’t working. Many firms first thought the company was installing a maintenance update.

“It’s now day four with lots of [tax] returns here I am supposed to have e-filed and can’t.”

Wolters Kluwer said it immediately started investigating and detected the installation of malware. It then took many of the platforms and applications offline to protect customers’ data and isolate the malware attack.

Taking down the systems, however, also “impacted our communication channels and limited our ability to share updates” with users, Wolters Kluwer admitted.

While Wolters Kluwer has said it found malware installed on some of its systems, as of Thursday the company said it had not found any indication that users’ data had been compromised or that there was an ongoing risk to customers’ data. Regardless, the company said it had notified law enforcement.

There was lots of speculation online as to the nature of the malware attacks.

“They hired incident responders and forensic folks to help respond and recover,” said Dr. Wes McGrew, director of operations at HORNE Cyber, a security testing unit of CPA firm HORNE. “Presumably at the conclusion of the investigation, they will have some breach notification to customers to let them know what their exposure is,” if any.

The extended systems downtime should cause some firms to re-examine the level to which they are trusting cloud providers to secure business-critical software, McGrew suggested.

“Do you want to have an entirely different service provider as a backup or have something in-house?” asked McGrew, a frequent presenter at the DEF CON and Black Hat USA conferences and a trainer in digital forensics to law enforcement.

Systems security is hard to implement and resource-intensive, says McGrew, but when it’s put in the hands of the cloud service provider “the problem doesn’t go away, it just shifts.”

Customers need to ask for penetration tests reports from the vendor to ensure it is spotting security vulnerabilities ahead of time and remediating them, he added. “It’s no longer your problem but you have to make sure they know it’s their problem.”

Even penetration tests are not foolproof, however. Most cloud service providers are doing it, but there’s a lot of variation in test quality. “If fully automated, a penetration test can be less effective than if it’s done by a team of cyber operatives,” McGrew ways.

“For everything I have seen, the most effective means of identifying [vulnerabilities]  is to test them in an adversarial fashion — to run a team of hackers against the system to find [weak points] before they are exploited for real.”

Nearing noon Eastern time on Friday, Wolters Kluwer had not issued a statement indicating whether its customer support systems were back online.

, , , , , ,

2 responses to “CCH Tax Software Outage Leaves Accountants in Limbo”

  1. Possible Solution for Accounting software firm Wolters Kluwer malware problem: Cyberattack are becoming very common today. Wolters Kluwer provides accounting software and services to all major U.S. accounting firms, according to its website. They do need to take a new approach when dealing with software downloads and that is to have the service provider dump files that will be downloaded on to a separate computer once an update period and this would be their downloads only. Their customer links would be to that computer only! There would be one computer for each version of the software updates which would allow for their customers to use their own schedule for the applicable version download. Once a download option computer is now longer required by any customer that computer would have to be reset to a startup where nothing is carried forward to protect against a possible security threat that originated on a customer’s system. This is a security issue and the time has come to take a very different approach when dealing with software downloads. To take this one step further companies like Wolters Kluwer would not allow access outside of their secured development network even by their president. This approach does work and in the long run provides more protection for their customers.

  2. WK messed up for the 2012 late tax changes but managed to blame everyone but themselves. Their support took much longer to answer the phone (sometimes hours) for 2018 returns and blamed everyone but themselves (wow, maybe you guys could have hired more people to man the phones). Now this screw up with no communication, which based on past history will be “those people over yonder’s” fault, not theirs. They deserve to get sued to oblivion, but of course the “Terms” that we are required to agree to say they are never at fault for anything, nor will they provide a dime of compensation resulting from their screwups. I have used ATX since 1978. No longer. These guys [stink] and take no responsibility for their terrible support, programming errors, and now data breach. Why ever use them? I have enough problems without a company that I pay a lot of money yearly causing me more.

Leave a Reply

Your email address will not be published. Required fields are marked *