The Wolters Kluwer CCH outage: What happened?

Register now

On Monday May 6, between the hours of 8-10 a.m. E.T., accountants across the country started realizing their CCH products, which are based in the cloud, were down. Some users speculated online that it was an unannounced maintenance outage, but it soon became clear that something was wrong.

On Tuesday a PR representative from Wolters Kluwer Tax & Accounting, which makes the CCH products, confirmed the outage was the result of a malware attack:

“On Monday May 6, we started seeing technical anomalies in a number of our platforms and applications,” the statement given to Accounting Today reads. “We immediately started investigating and discovered the installation of malware. As a precaution, in parallel, we decided to take a broader range of platforms and applications offline. With this action, we aimed to quickly limit the impact this malware could have had, giving us the opportunity to investigate the issue with assistance from third-party forensics consultants and work on a solution. Unfortunately, this impacted our communication channels and limited our ability to share updates. On May 7, we were able to restore service to a number of applications and platforms.”

The limited ability to share updates angered CCH users, many of whom took to social media to air their grievances against a cloud partner they perceive to be ill-prepared for maintaining ongoing service and proper security online.

Despite CCH stating that a number of applications and platforms were up and running today, May 7, several users on a Reddit thread on the topic have stated that as of this morning in Florida, Maine, Texas, Pittsburgh and South Carolina, their CCH systems are still down.

CCH users on Reddit and Twitter said services affected include portal functionality, e-filing, updates and authorizations. However, as CCH officials stated above, all functionality was taken offline as a precaution.

Reassuring customers for now, CCH officials also said, “We have seen no evidence that customer data was taken or that there was a breach of confidentiality of that data. Also, there is no reason to believe that our customers have been infected through our platforms and applications. Our investigation is ongoing. We want to apologize for any inconvenience this may have caused.”

Reddit user @paidgoogler posted a statement one of their clients received from their CCH representative. An employee of a Florida-based firm who wished to remain anonymous confirmed that multiple firms received this same email. (Accounting Today is awaiting confirmation from CCH that the letter below was in fact written by a CCH rep.)

"I appreciate everyone’s patience with the fact that this update is just now getting to you (as you might imagine it’s been a busy morning for me)," the rep wrote. "I spoke with many of you yesterday so some of this may be a repeat. As you are well aware, the CCH outage from yesterday is still occurring today. I’m not going to speculate as to the nature of this because I’m sure you’ve already done that for me and I’m aware of what is being said on the forums/message boards and our competitors (thank you to those of you who sent this over to me).

"Importantly, many of you are awaiting guidance on what you should be doing with your staff today and unfortunately I do not have a good answer for this. Many of you saw the maintenance window message which said that operations would be back up by 8:30AM CST today, which has come and gone. I have not received any updated communication regarding a timeframe. I understand that many of you are looking to me to provide guidance on what you should do with your people today and I’m unable to provide that, however I will let you know that I am approaching my day with the anticipation that CCH will be down through today given how this has played out.

"While I said I’m not going to speculate on the nature of this, I understand that many are concerned about a potential malware attack on areas of the CCH infrastructure. To that end, I will be obtaining our most recent SOC 2 report for you to see the security protocol reports related to our systems and will send over when I get it. Please note that this is not an acknowledgment of this actually being the issue, but rather just an acknowledgment that obviously people are talking and this is a common concern.

"I will update this email as soon as I have additional information for you. While many of you know that I’ll go to great lengths to help you out, I’ll respectfully request that you refrain from calling just to get updates (as I’ll probably spend a good 20 minutes talking your ear off while providing no new information). I will update this thread with additional details as they become available (tonight at the latest)."

This article will be updated as the situation progresses.

Update May 7, 3:15 p.m. ET: The outage seems to be worldwide, not just in North America.

Update May 7, 3:23 p.m. ET: Reddit user Jluvs2dive reports that two employees at their firm received an email from a Wolters Kluwer address that includes a malicious link. The email was reportedly sent from a user named "Tammy" with a Wolters Kluwer email address.

Update May 8, 12:21 p.m. ET: Wolters Kluwer has no further official updates at this time.

Accounting Today's source from Florida informed the magazine that upon attempted login to the CCH Axcess platform, his firm received a message that the system would be up first on Tuesday, May 7 at 8:30 a.m. CST; then Wednesday, May 8 at 3:30 p.m. CST; and now, Thursday, May 9, at 7:00 a.m. CST. See screenshot below.

In addition, Facebook user Diana Maria Shaw Knight stated on the most recent post on the Wolters Kluwer Tax & Accounting page that she logged into Axcess Document early Wednesday morning and was briefly able to view her files: "If you are worried about whether your files are REALLY still there in AxCess Document - they seem to be," Knight wrote. "When I came in early this morning, just for the heck of it, I tried to log in (expecting nothing). And, light of my life, it came up ! (Wish I had known it was up - even if it was at 3 am. COMMUNICATION is KEY.) Anyway, I went in and snagged some files I have needed since Monday and saved them locally. Everything seems to be intact, as though nothing happened. There was a message that said that they were going down again at 7:10 am - and to save and exit prior to that time. And supposedly it will all be back up by tomorrow morning according to that message."

Update May 8, 1:45 p.m. ET: CCH Axcess is back online (see CCH is back up).

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Malware Cloud computing Accounting software