A massive accounting hack kept clients offline and in the dark
By NATE LANXON AND JEREMY KAHN | Bloomberg | Published: May 13, 2019
Dutch company Wolters Kluwer makes the software on which many of the world's small and mid-sized accounting firms run. Earlier this week, a cyberattack took down that software and presented a case study in how not to communicate with customers over a hack.
The company told its followers on Facebook and Twitter on May 6 that, out of caution, it'd taken some of its cloud-based software applications offline. But the opaque 48-word statement didn't explain why, and left customers frustrated and worried.
"Going dark as much as you have has done nothing to stop us from fearing the worst," one person replied on Twitter. "Has there been a security breach?" asked another.
Martin Wuite, chief information officer at Wolters Kluwer, was trying to find out, too. He'd become aware of anomalies in his company's servers around 8 a.m. ET Monday after an automated monitoring system had flagged something was wrong.
"Customers were alerted immediately as soon as we discovered the issue," he said. "When we detected the malware, we proactively took a broad range of platforms offline to protect our customers' data."
Wolters Kluwer, based in small town in the Netherlands and with a market value of around $19 billion, is a little known accounting software giant, providing services to health, tax and compliance industries. According to the company, 93% of Fortune 500 companies are its customers.
While Wuite worked on Monday morning in Holland to uncover the extent of the problem, Amber Deiterich, a senior tax accountant at Collings CPA Firm in Tuscon, Arizona, arrived for work prepared for a busy week. Collings' non-profit clients face a May 15 deadline to file their tax returns with the U.S. Internal Revenue Service. Failing to do so may result in financial penalties.
Turning on her office computer, Deiterich noticed the software she uses for everything from entering client data to electronically filing tax returns, wasn't working. She'd become accustomed to periodic outages of Wolters Kluwer software — which includes CCH SureTax and CCH Axcess — since her firm signed on as a customer in the fall of 2018.
But this time, something was different. A message told her the software was down for "scheduled maintenance" and wasn't expected to be up and running again until the next day. She tried to check the website of Wolters Kluwer, but that was offline too. When she called a customer support number in the U.S. a message said the company was experiencing technical difficulties. Then the line went dead.
Deiterich turned to social media, where CCH customers across the world were complaining of the same issue. Almost 24 hours after the outage first began, she saw the short message Wolters Kluwer had posted to its U.S. Facebook page — not a channel the company had used for such important communication before — about its "network and service interruptions."
"You could do a basic Google search and find out more than they were reporting," she said in an interview.
Two years ago this week, the U.K.'s National Health Service was one of innumerable institutions crippled by a cyber attack and a piece of malware called WannaCry. The malware attack has seen Wolters Kluwer join a growing list of high-profile companies and institutions that failed to protect their core assets from devastating cyber-attacks.
Kris McKonkey, who heads the cyber threat detection and response team for accounting and consulting firm PwC in the U.K., said that attacking the "software supply chain" — especially enterprise software that is used across a particular industry or sector — is an increasingly popular tactic for sophisticated hackers, including groups associated with nation-states.
In 2017, malware known as NotPetya targeted accounting software called M.E. Doc which was used throughout the Ukraine. From there, the attack spread around the globe, ultimately crippling operations at AP Moller-Maersk and a number of other companies. Total damages from NotPetya are thought to run to a reported $10 billion. Security experts believe NotPetya was launched by Russia as part of an on-going cyber campaign against Ukraine.
On Tuesday, about 24 hours after Wolters Kluwer confirmed malicious software in its network was the cause of the disruption. More products were pulled offline to try and limit damage.
"We have a deadline on 5/15 and need to be filing extensions/returns," one person wrote in response on Twitter. "Wolters Kluwer, you are going to be responsible for any penalties and interest," another vented.
During the outage, Deiterich said she and the other tax accountant who works for Collings, plus an executive assistant, sat idle. Unable to access their time keeping records on CCH, Collings missed its payroll deadline, meaning Deiterich and the other tax professionals will get paid late.
Collings had considered resorting to old-fashioned paper forms to meet tax filing deadlines for clients, she said, but even doing that was problematic because all of the client data they needed to fill in those forms was inaccessible, stored on the CCH servers.
Many of Wolters' clients are small to mid-sized accountancy firms who rely on a whole suite of products. Both Collings CPA and the Tidwell Group, a firm of 200 accountants and consultants headquartered in Birmingham, Alabama, use CCH's software not just to file client tax returns, but to keep track of their own billing and accounts receivable.
"We are one of the firms that has gone all-in with them," Wayne Jordan, the chief information officer at Tidwell Group said of CCH's suite of products. "Without it, we were fairly helpless."
On May 8, Wolters Kluwer published a statement to say it'd created a temporary telephone support line, but with a caveat: "While we may not be able to directly answer your question, we will forward your inquiry internally to the appropriate party."
It wasn't until the afternoon of Thursday, May 9, that Jordan discovered service had been restored and he could electronically file tax returns with the IRS. He only found out by repeatedly trying to use the service, not through any official channel, he said. "Communication was the biggest problem we experienced throughout the whole event."
Even Wolters' staff were kept in the dark. When asked on Thursday about reports about a malware attack on the company, one customer service representative based in Canada said "We don't have any information so far, we don't know yet what happened."
Wolters Kluwer's Wuite told Bloomberg that the company had seen "no evidence that customer data or systems were compromised or that there was a breach of confidentiality of that data," and that law enforcement had been alerted to the breach. There was no indication of data loss or other effects, nor any potential risk to client data, he said. The company told Bloomberg in an emailed statement on May 11 that it had agreed with the IRS to grant tax filing extensions to some customers affected by the outages.
Many products are now back online, while some of which were functional since May 7. Wuite said it's working with third-party forensic firms to discover the "root cause" of the attack, but was unable to confirm which piece of malware — and which individual or other entity — was responsible for deploying it.
McKonkey said that hackers will often try to compromise the servers that send out updates and patches to all users of that software, passing off their malware as a legitimate update. In some cases, the hackers' target may be one specific firm that they know use that software and the other firms in the industry are simply considered "collateral damage." This is called "a waterhole attack," McKonkey said, because it is like hunters staking out a water source in the Savannah to find big game.
"If you get the right software, you are guaranteed to get a whole swath of victims in that specific area," he said.
Bloomberg's Chris Fournier contributed.