Cyber Incident Victim: Wolters Kluwer
Date:
May 2019
Location:
Netherlands
Summary
A Wolters Kluwer tax software division experienced a significant outage after a security researcher reported publicly accessible file directories allowing anonymous uploads, which contained suspicious files. The company took affected systems offline, later attributing the disruption to malware detected during their investigation, prompting proactive isolation of multiple platforms and applications. Service restoration began gradually, though many users reported prolonged inaccessibility to critical tax data and client information, leading to widespread frustration. The firm asserted no evidence of compromised customer data or confidentiality breaches, involving law enforcement and third-party forensics in ongoing remediation efforts while prioritizing system integrity before reactivation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 3, 2019, a security researcher notified Wolters Kluwer’s CCH tax software division about a critical vulnerability involving publicly writable file directories hosting tax software downloads. The researcher observed suspicious PHP and text files in these directories, including one referencing unrelated Russian-language forums, though no evidence indicated client data exposure. Shortly after this report, CCH took the affected file directory offline. By May 6, widespread outages impacted multiple CCH platforms, preventing users from accessing client tax data stored in the cloud. Customers across multiple U.S. states reported prolonged service disruptions, with Wolters Kluwer’s main support line acknowledging "technical difficulties." Initial attempts to contact the company for clarification on the directory exposure and software integrity checks went unanswered, though marketing personnel initially promised follow-up.
Wolters Kluwer confirmed on May 6 that monitoring systems detected technical anomalies, leading to the discovery of malware installations. The company proactively shut down a broad range of platforms—including CCH tax applications—to isolate the threat and protect customer data. This aggressive containment strategy caused significant service interruptions and impaired internal communication channels, limiting outage updates and fueling customer frustration on social media and Reddit threads. By May 7, services including CCH Axcess, SureTax, AnswerConnect, and Intelliconnect were restored after security validation, though users in Florida, Maine, Texas, and other regions reported lingering outages. The company engaged third-party forensic consultants and law enforcement, maintaining no evidence of compromised customer data or confidentiality breaches. Restoration efforts continued beyond May 9, with unresolved outages affecting remaining platforms.