Accounting software giant Wolters Kluwer NV hit by cyber attack

Bloomberg | Updated on May 13, 2019 Published on May 13, 2019

Dutch company, Wolters Kluwer NV, made the software on which many of the worlds small and mid-sized accounting firms run. Earlier this week, a cyber attack took down that software and presented a case study on how not to communicate with customers over a hack.

The company told its followers on Facebook and Twitter on May 6 that, out of caution, its taken some of its cloud-based software applications offline. But the opaque 48-word statement did not explain why, and left customers worried.

“Going dark as much as you have has done nothing to stop us from fearing the worst,” one person replied on Twitter. “Has there been a security breach?” asked another.

Martin Wuite, Chief Information Officer at Wolters Kluwer, was trying to find out too. He’d become aware of anomalies in his company’s servers on Monday after an automated monitoring system had flagged something was wrong.

“When we detected the malware, we proactively took a broad range of platforms offline to protect our customers data,” he said.

Wolters Kluwer, based in a small town in the Netherlands, with a market value of around $19 billion, is a less known accounting software giant, providing services for health, tax and compliance industries. According to the company, 93 per cent of Fortune 500 companies are its customers.

While Wuite worked on Monday in Holland to uncover the extent of the problem, Amber Deiterich, a senior tax accountant at Collings CPA Firm in Tuscon, Arizona, arrived for work prepared for a busy week. Collings’ non-profit clients face a May 15 deadline to file their tax returns with the US Internal Revenue Service.

Malware targets

Two years ago this week, the U.K. National Health Service was one of the innumerable institutions crippled by a cyber attack and a piece of malware called WannaCry. The malware attack has seen Wolters Kluwer join a growing list of high-profile companies and institutions that failed to protect their core assets from devastating cyberattacks.

Kris McKonkey, who heads the cyber threat detection and response team for accounting and consulting firm PwC in the U.K., said that attacking the software supply chain, especially enterprise software that is used across a particular industry or sector, is an increasingly popular tactic for sophisticated hackers, including groups associated with nation-states.

In 2017, malware known as NotPetya targeted accounting software called M.E. Doc which was used throughout the Ukraine. From there, the attack spread around the globe, ultimately crippling operations at AP Moller-Maersk A/S and a number of other companies. Total damages from NotPetya are reported to be $10 billion. Security experts believe NotPetya was launched by Russia as a part of an on-going cyber campaign against Ukraine.

On Tuesday, about 24 hours after Wolters Kluwer confirmed malicious software in its network was the cause of the disruption, more products were pulled offline to try and limit damage.

During the outage, Deiterich said she and the other tax accountant who works for Collings, plus an executive assistant, were unable to access their time keeping records on CCH, and Collings missed its payroll deadline, meaning Deiterich and the other tax professionals will get paid late.

“Collings had considered resorting to old-fashioned paper forms to meet tax filing deadlines for clients,” she said, “but even doing that was problematic because all of the client data they needed to fill in those forms was inaccessible, which are stored in the CCH servers.”

Many of Wolters clients are small to mid-sized accountancy firms who rely on a whole suite of products. Both Collings CPA and the Tidwell Group, a firm of 200 accountants and consultants in Birmingham, Alabama, use CCH’s software, not just to file client tax returns, but to keep track of their own billing and accounts.

“We are one of the firms that has gone all-in with them,” said Wayne Jordan, the Chief Information Officer at Tidwell Group.

On May 8, Wolters Kluwer published a statement to say its created a temporary telephone support line, but with a caveat. “While we may not be able to directly answer your question, we will forward your inquiry internally to the appropriate party,” it said.

It wasn’t until the afternoon of Thursday, May 9, that Jordan discovered service had been restored and he could electronically file tax returns with the IRS. He only found out by repeatedly trying to use the service, not officially. “Communication was the biggest problem we experienced throughout the whole event,” he said.

Even Wolters’ staff were kept in the dark. When asked, on Thursday, about reports regarding the malware attack on the company, one customer service representative based in Canada said , “We dont have any information so far, we don’t know what has happened yet.”

Wolters Kluwers Wuite told Bloomberg, that the company had seen no evidence that customer data or systems were compromised or that there was a breach of confidentiality of that data and that law enforcement had been alerted about the breach. “There was no indication of data loss or other effects, nor any potential risk to client data,” he said. The company told Bloomberg in a statement on May 11 that it had agreed with the IRS to grant tax filing extensions to some customers affected by the outages.

Many products are now back online, while some of which were functional since May 7. Wuite said its working with third-party forensic firms to discover the cause of the attack, but was unable to confirm what malware or which individual or other entity was responsible for deploying it.

“Hackers will often try to compromise the servers that send out updates and patches to all users of that software, passing off their malware as a legitimate update. In some cases, the hackers target may be one specific firm that they know use that software and the other firms in the industry are simply considered collateral damage. This is called a waterhole attack,” McKonkey said.

Published on May 13, 2019
This article is closed for comments.
Please Email the Editor