Skip to content

Vendor/Supply Chain CyberSec – Lessons to be learned from the CCH Hack

On Friday, May 3, 2019, Wolters Kluwer CCH, the cloud-based tax division of the Netherlands-based-global information services firm Wolters Kluwer, was notified of an apparent security/data privacy issue by Brian Krebs, the world-famous cybersecurity expert behind KrebsonSecurity. Wolters Kluwer is a global provider of professional information, software solutions, and services for clinicians, nurses, accountants, lawyers, and tax, finance, audit, risk, compliance, and regulatory sectors.

On Monday, May 6, 2019, CCH took several applications offline including some of its communications applicatons. In a somewhat sporadic basis, they used social media and email to inform some clients of the malware/infection-caused outage, but with no detailed plan of action for response or recovery. While there are alternatives to CCH (like Thomson Reuters, among others) many CPA firms rely on CCH for their businesses. CPA firms share sensitive client data via cloud portals with these tax return preparation software giants. So what exposure do CPA firms have as a result of this compromise at CCH? To be fair, this is not the only successful breach of professional CPA firm tax prep software as we shared about The TurboTax breach in February 2019.

What we are trying to reiterate is that your organization’s risk surface is larger than just your network and computers. We all too often hear from firms about protecting sensitive data entrusted to them by their thousands of clients, “We use XYZ brand tax prep software and it’s real secure, so we are squared away on data privacy and cybersecurity.”

Obviously, they are not, as these news headlines continue to prove.

Most businesses today rely on several, if not dozens, of third-party service providers and vendors to support core business functions. Besides the applications, consider that your multi-function printers contact the vendor that services them to schedule maintenance automatically, and there is a hard disk drive inside each machine that has retained a copy of everything you have ever copied, faxed, scanned or printed!

Remember this interconnectedness without adequate vigilance was how Target made all the bad headlines; their HVAC contractor had access to the same network as the core business – and the credit cards within it.

What all organizations (especially companies that stock and trade is sensitive information like CPA firms) should do is implement a robust vendor/supply chain management program. This would help them understand who all their vendors are, what kinds of information they are sharing and how often, as well as what these vendors’ Incident Response Plans are supposed to look like. Next, CPA firms should have and regularly exercise their own Incident Response Plan that includes a contingency for dealing with a compromise of a key vendor supply chain member, like CCH. Crisis communications provisions should be included to timely address all stakeholders, clients, media, regulators, etc.

The point to remember is you can outsource many things – however, the ultimate responsibility for security and data privacy is NOT one of them. Regularly assessing your third-party vendors should be a key part of your robust cybersecurity/data privacy program, lest you hand the attackers the keys to your kingdom!

If you feel that this breach may have affected your business or clients, contact us immediately here to discuss next steps.