Wolters Kluwer CCH Systems Recovering from Malware Incident, Axcess Systems Partially Restored for Users

It’s been a tough few days for users of Wolters Kluwer’s CCH tax products, especially for those using CCH Axcess.  Wolters Kluwers’ systems were affected by malware, per a company release issued the day after the outage triggered by the malware began.

The problem began early on Monday as users discovered CCH’s online systems were not accessible.  While those using the on-site version of CCH’s tax product (ProsystemFX) lost access to electronic filing and the ability to obtain additional single return licenses to run returns if the user ran out of already downloaded permissions, those on the hosted Axcess products lost access to all programs they had licensed on the platform.

As the day continued and the products still could not be accessed, users who attempted to call support to check on the situation found the company’s phone system was also down.  A thread started on Reddit’s /r/sysadmin subreddit where a number of users began to comment and discuss the issues. 

Some users, claiming to be employees of Wolters Kluwer or have gotten information from employees of the organization, posted information about being told the systems were affected by malware and that they had been told to shut down all systems immediately.  Most of these posts were eventually deleted by those that posted them, but the discussion continued there with accounting firm system administrators and CCH users as no official information emerged from the company as the day wore on.

Late on that evening (10:00 pm EDT), the first information emerged from the company in a post on the Wolters Kluwer Facebook page.  That post stated:

On May 6, 2019, Wolters Kluwer experienced network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of an abundance of caution, we proactively took offline a number of other applications as we continue to investigate any impact. This prevented us from having adequate time to provide you advance notice, and for that we sincerely apologize.

We are working diligently around the clock to restore service as soon as possible.

We apologize to our customers for the inconvenience and appreciate your patience. We will provide further updates as they become available.

At 10:46 am EDT the next day a new Facebook update added a statement that “[a]t this time, there is no indication that our customers’ data has been compromised,” the first indication that this was not simply a hardware failure, but some incident that led the organization to make a statement about the potential compromise of data.  At 5:16 pm EDT on Tuesday another Facebook post confirmed that, as had been speculated on \r\sysadmin, malware had been found on the system, although the nature of that malware was not indicated.

In addition to the note indicating that there was no indication that data was compromised, the statement added a new assurance that caught reader’s attention:

Also, there is no reason to believe that our customers have been infected through our platforms and applications.

That same afternoon, IT security blogger Brian Krebs posted an article on his website that revealed one additional key piece of information that helped explain why Wolters Kluwer likely felt they had to comment on potential infection of customers.[1]

Early in the afternoon on Friday, May, 3, I asked a friend to relay a message to his security contact at CCH, the cloud-based tax division of the global information services firm Wolters Kluwer in the Netherlands. The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.

Shortly after that report, the CCH file directory for tax software downloads was taken offline.

The blog post contains an image from the Internet Archive’s Wayback Machine of the page containing the open directory cited above.  In that image it’s clear the directories related to the ATX software.

As Brian notes, he was contacted by users on Monday indicating that they could no longer access the site.  He wrote:

I do not have any information on whether my report about the world-writable file server had anything to do with the outages going on now at CCH. Nor did I see any evidence that any client data was exposed on the site.

However, Brian did note that he found files that had apparently been placed in that directory that did not appear to originate from CCH.

What I did see in those CCH directories were a few odd PHP and text files, including one that seemed to be promoting two different and unrelated Russian language discussion forums.

I sent Wolters Kluwer an email asking how long the file server had been so promiscuous (allowing anyone to upload files to the server), and what the company was doing to validate the integrity of the software made available for download by CCH tax customers.

Marisa Westcott, vice president of marketing and communications at Wolters Kluwer, told KrebsOnSecurity on Friday that she would “check with the team to see if we can get some answers to your questions.”

However, Brian reported that, as of the time he originally published his article, he had not been contacted and he also noted that attempts to call CCH were frustrated by a message indicating that they were experiencing technical difficulties. 

Mid-day Wednesday users of Axcess reported they were now able to log in and most, but not all, systems were available for use. A CCH Axcess user on /r/sysadmin posted a statement he received from CCH explaining the situation, indicating that Axcess was working but with the following restrictions:

Our priority has been to bring the system up and get you back to work as quickly as possible. In order to do that, we have had to make a few choices, and a few functions are currently unavailable:

  • The e-filing capability is not yet available at this time. We will notify you when it is available; please hold your e-filing until then. Should you attempt to e-file in the meantime, you will receive an upload error message. For now, please save your returns within the CCH Axcess application.

  • The email capability is performing slower than normal. You will notice a latency when attempting to send and receive email message.

  • Some articles and news are not accessible via links. Currently you will not have access to links to chat or support content; links to CCH Software news, or links to Knowledge Base Articles/Reviews.

  • At this time, new users cannot be activated. For now, you will not have the ability to set up new users within the CCH Axcess application.

Interestingly, while Axcess users reported getting a notice, my firm (which is a ProsystemFX customer) has not received any message from Wolters Kluwer as of the time this is written (7:30 pm MST on May 8).  Certainly, it appears nothing has changed for us and, as I noted, Axcess customers appear solely to have now been placed in the position we have been in since Monday.  For now it appears all CCH customers are waiting to see when electronic filing comes back up, with the real concern being whether the system will be available to deal with approaching May 15 deadlines. 

But the fact that CCH has now been able to bring much of Axcess back online is a good sign.  Hopefully it’s not a coincidence that they first worked on getting Axcess customers (who had been shut entirely out of CCH programs since Monday) to the same position that the on-site ProSystemFX customers have been in.  That would suggest the next step is to restore those items that are being used by both sets of customers.

Unfortunately, the other concerns that many customers will have will likely take longer to address.  Such malware incidents are complicated to unwind and at times additional information is uncovered as those investigating the incident continue their work.  At this point, though, speculation on what may or may not be the case is not likely going to be helpful.  Certainly, CCH customers will want to stay updated on any future developments that may be announced by Wolters Kluwer as their investigation of the incident continues.

As well, this should serve as a warning to all CPAs that in today’s world there are actors looking to install malware in systems.  Presumably Wolters Kluwer had security procedures in place that were meant to prevent this sort of incident from occurring—and, clearly, they were not able to accomplish that goal.  System security is only as good as its weakest link, and quite often that weak link will be an individual in the organization that is tricked into downloading an attachment or clicking a link that allows malware to be loaded onto the network. 

Both network level protections that are installed by IT and training users on how outside actors will attempt to trick them into assisting them in installing malware on the network are basic requirements of IT system security.  As well, management must be constantly aware that there is no such thing as an “impenetrable network” and overconfidence in the effectiveness of existing systems is likely the biggest risk to your firm’s security.

Update - May 9, 2019 8:00 am MST

C. Brian Streig, CPA has posted on his blog[2] the following email he received from his CCH Representative this morning that appears to be an official Wolters Kluwer statement of the status.

IMPORTANT UPDATE: Wolters Kluwer Network and Service Interruptions

Dear Customer,

Thank you for your continued patience as we work to fully restore all of our applications and platforms. I am writing to update you on the progress we are making in this regard, as well as provide more context about how this situation originated and how we were able to effectively isolate and contain it before it could have any detrimental effect on customer data.

As previously shared, on May 6th when we started seeing technical anomalies in a number of our applications and platforms, we proactively isolated our systems out of an abundance of caution before any detrimental effects could occur. We have since been working with best-in-class anti-virus and security firms to develop and deploy newly released anti-virus solutions. This process assures a high degree of confidence in the security of our applications and platforms before bringing them back online.

It’s important to clarify that although there was malware on our network, we have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.

As you know, Wolters Kluwer delivers a suite of distinct applications in a variety of formats, each of which is designed to serve distinct segments of the tax and accounting ecosystem. We are in the process of scanning, testing, and restoring each service and application, and because they are distinct, they must be brought back online sequentially. We are restoring our applications and platforms in the following order:

  • CCH® SureTax® (online)

  • CCH Axcess™ (online)

  • CCH® AnswerConnect (online)

  • CCH® Intelliconnect® (online)

  • CCH® Account Research Manager (online)

These following systems are still in process:

  • Electronic Filing System (ELF for medium and large firm customers)

  • CCH® Global fx

  • ATX™ & TaxWise® electronic filing

  • TaxWise® Online™

In short, the service interruptions you have experienced are primarily the result of our aggressive, precautionary efforts to ensure the safety of your data. This is why at this time we are confident that we see no indication of data loss or other effects, nor any potential risk to our customers’ data.

As we’ve noted before, we are working diligently around the clock to completely restore service and those efforts are continuing.

If you have any questions, we have established a dedicated customer support line regarding this incident at 800-930-1753 and a live chat capability at taxna.wolterskluwer.com. We appreciate your continued patience and will work to keep you updated as new information becomes available.

The Wolters Kluwer Team

Update - May 9, 2019 4:20 pm MST

The electronic filing system for CCH products came back online between 1:30 pm and 2:00 pm MST based on reports on Twitter. At this time our office has been able to submit returns through the electronic system.

Reports on state society discussion groups indicate that CCH hosted sites remained down for firms that use that hosting service, but presumably that will be brought back online soon.

At 6:00 pm CDT Wolters Kluwer posted an update on their site.[3] That update contained the following information:

Since May 7, we were able to begin restoring service to a number of applications and platforms. We have already brought online several of our systems, including CCH SureTax and CCH Axcess. We're working around the clock to restore service. Our process and protocols assure a high degree of confidence in the security of our applications and platforms before they are brought back online. We have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.

At this time, we have notified law enforcement and our investigation is ongoing. We regret any inconvenience this has caused, and we are fully committed to restoring remaining services as quickly as possible for our customers.

Update - May 9, 2019 5:00 pm MST

C. Brian Streig, CPA posted a second update from CCH at 6:43 pm CDT[4] that indicated all of the services listed in the early morning update except the TaxWise Online system were now back up and running.

Update - May 10, 2019 7:00 pm MST

User @Stevenfcpa has posted an update on Twitter[5] that he received an email from Wolters Kluwer that indicates the IRS is granting a special extension of time for filing certain federal returns with a due date of May 15, 2019 for those affected by the Wolters Kluwer malware.

The returns with due dates of May 15 that are reported to be eligible for the extension are:

  • 990 - Tax Exempt Organizations

  • 1120 - Corporations

  • 1065 - Partnerships

The extension would be until May 22, 2019. The email indicates that the IRS has provided “simple but specific” instructions that must be followed for these returns filed after May 15, 2019 but no later than May 22, 2019. The email indicates that Wolters Kluwer will provide that information in a “separate communication” on May 13, 2019.

The email also provides that Wolters Kluwer is working with state tax agencies to obtain relief for filings with those agencies.

Update - May 13, 2019 5:45 pm MST

C. Brian Streig, CPA posted the email he received on the procedures for the 7 day extension in Wolters Kluwer products that is supposed to be going out to affected CCH users.

IMPORTANT UPDATE: IRS Extension Instructions

Monday, May 13, 2019

Dear Valued Customer:

As communicated on Friday, May 10th, the IRS has approved Federal Filing Extensions for the following return types due May 15, 2019:

• 990 – Tax Exempt Organization
• 1120 – Corporations
• 1065 – Partnerships

This means that the Federal filing due date has been extended to May 22, 2019, providing you with 7 additional days to file returns and to pay tax.

The IRS has provided simple but specific instructions that preparers must follow for any return that is filed after May 15, 2019 but no later than May 22, 2019.

CCH Axcess™

990, 990EZ, 990PF E-file
Worksheet View: Enter “Late filed return due to CCH Software outage” on Worksheet Federal > Basic Data > Reasonable Cause Statement > Line 2 and Check the Line 1 box.

990, 990EZ, 990PF Paper
Worksheet View: Enter “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty,” State the reason as, “Late filed return due to CCH software outage” on Worksheet Federal > Basic Data > Reasonable Cause Statement > Line 2 and Check the Line 1 box. This statement must be attached to the original, signed return.

990T Paper
Worksheet View: Create a statement using Footnotes on Federal > General > Notes > Federal and State Footnotes_ titled “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty,” State the reason as, “Late filed return due to CCH software outage.” This statement must be attached to the original, signed return.

990, 990EZ, 990PF E-file
Worksheet View: Enter the title “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty” and state the reason as, “Late filed return due to CCH software outage” on Worksheet Federal > General > Notes > Federal and State Footnotes.

CCH® ProSystem fx & CCH® Global fx

990, 990EZ, 990PF E-file
Worksheet View: Enter “Late filed return due to CCH Software outage” on Worksheet Federal > Basic Data > Reasonable Cause Statement > Line 2 and Check the Line 1 box.

Interview: Enter “Late filed return due to CCH Software outage” on Interview Form 12, Box 30 and enter an “X” in Box 31.

990, 990EZ, 990PF Paper
Worksheet View: Enter “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty,” State the reason as, “Late filed return due to CCH software outage” on Worksheet Federal > Basic Data > Reasonable Cause Statement > Line 2 and Check the Line 1 box. This statement must be attached to the original, signed return.

Interview: Enter “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty,” State the reason as, “Late filed return due to CCH software outage” on Interview Form 12, Box 30 and enter an “X” in Box 31. This statement must be attached to the original, signed return.

990T Paper
Worksheet View: Create a statement using Footnotes on Federal > General > Notes > Federal and State Footnotes_ titled “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty,” State the reason as, “Late filed return due to CCH software outage.” This statement must be attached to the original, signed return.

Interview Form: Create a statement using Footnotes on Federal Interview Form 5 return titled “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty,” State the reason as, “Late filed return due to CCH software outage.” This statement must be attached to the original, signed return.

990, 990EZ, 990PF E-file
Worksheet View: Enter the title “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty” and state the reason as, “Late filed return due to CCH software outage” on Worksheet Federal > General > Notes > Federal and State Footnotes.

Interview: Enter the title Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty” and state the reason as, “Late filed return due to CCH software outage on Interview Form 10, Federal and State Footnotes.

ATX™

990, 990EZ, 990PF E-file
Navigate to Form 990/EZ/PF, then from the “Pages & Worksheets” button, select the “Reasonable Cause Explanation” worksheet. Enter “Late filed return due to CCH Software outage.” Create your electronic file. normally, then transmit it.

990, 990EZ, 990PF and 990T Paper
Navigate to Form 990T, then from the “Pages & Worksheets” button, select the “Reasonable Cause Explanation” worksheet. Enter a title as “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty.” State the reason as, “Late filed return due to CCH software outage.” This statement must be attached to the original, signed return.

1120 and 1065 Paper
Select the Taxpayer Name field. Right-click and select “Insert/Edit Note.” In the dialog, change the title to “Reasonable Cause Explanation”, then edit the description to: “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty, late filed return due to CCH software outage” When printing the return, select “Notes Report” in the “Client Documents” to print. The note will print with the return. NOTE: This document will print with the return, but will NOT be included in any e-File.

TaxWise® Desktop

990, 990EZ E-file and Paper
Navigate to Preparer Notes. Create a note titled, “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty.” State the reason as, “Late filed return due to CCH software outage.” Create your electronic file or mail the return as appropriate. If you mail your return, the statement must be attached to the original, signed return.

990PF, 990T Paper
Navigate to Preparer Notes. Create a note titled, “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty.” State the reason as, “Late filed return due to CCH software outage.” This statement must be attached to the original, signed return.

1065, 1120 E-file and Paper
Navigate to Preparer Notes and enter “Reasonable Cause Waiver Request – IRC 6651, Failure to File Penalty, late filed return due to CCH software outage.” Create your electronic file or mail the return as appropriate.

Please be aware that we are actively working with State tax agencies to gain approval for similar relief. We will keep you updated as new information becomes available.

Should you have any further questions, Support phone lines have been restored:

• CCH Axcess, CCH ProSystem fx and CCH Global fx: 1-800-739-9998
• ATX: 1-800-638-8291
• TaxWise: 1-866-641-9473

For additional updates and statements, check the Wolters Kluwer News page.

Thank you for your continued patience.

The Wolters Kluwer Support Team


[1] Brian Krebs, “What’s Behind the Wolters Kluwer Tax Outage?” Krebs on Security, May 7, 2019, https://krebsonsecurity.com/2019/05/whats-behind-the-wolters-kluwer-tax-outage/

[2] C. Brian Streig, CPA, “05/09/2019 Wolters Kluwer Network & Service Interruptions Update”, https://cbriancpa.com/2019/05/09/05-09-2019-wolters-kluwer-network-service-interruptions-update/

[3] “Public Statement - Network and Service Interruptions,” Wolters Kluwer website, https://wolterskluwer.com/company/newsroom/news/2019/05/media-statement---network-and-service-interruptions.html

[4] C. Brian Streig, CPA, “5/9/2019 – Update #2 from Wolters Kluwer CCH Network & Service Interruptions,” https://cbriancpa.com/2019/05/09/5-9-2019-update-2-from-wolters-kluwer-cch-network-service-interruptions/

[5] https://twitter.com/stevenfcpa/status/1127013509403901952?s=20

[6] C. Brian Streig, CPA, “5/13/2019 – Wolters Kluwer CCH -IMPORTANT UPDATE: IRS Extension Instructions,” https://cbriancpa.com/2019/05/13/5-13-2019-wolters-kluwer-cch-important-update-irs-extension-instructions/