The association representing the country’s accountants has warned over 300,000 members and others to watch for phishing scams after discovering its website was recently infiltrated.
Chartered Professional Accountants Canada, which sets standards and guidance for 210,000 accountants, said Wednesday that personal information, including contact information, was copied in the breach of security controls. The association later said that information on 329,000 individuals, including members and other stakeholders, was affected.
The information mainly involved are subscribers to the CPA Magazine and include unencrypted names, addresses, email addresses and employer names. Copied passwords and full credit card numbers were protected by encryption.
The notice was a follow-up and confirmation of an April 24th warning issued about possible email phishing activity relating to the organization’s website and email addresses of some CPA Canada members.
“CPA Canada has discovered that unauthorized third parties accessed certain contact information held by the organization, including email addresses, through a cyber-attack against the CPA Canada website,” the latest statement says. “Upon discovering this, CPA Canada took immediate steps to secure its systems and conduct a comprehensive analysis to determine what information may have been involved.”
The association said it is working with cybersecurity experts to ensure that its systems are now secure and to identify what information was copied. In addition to notifying potentially affected individuals directly, CPA says it has contacted law enforcement, the Canadian Anti-Fraud Centre, and privacy authorities.
“We encourage individuals to remain vigilant, as always, about any emails, text messages or phone calls you may receive asking you to provide sensitive information or click on links or attachments, or that use urgent or threatening language, even if they appear to come from CPA Canada or an individual or company you know or trust,” the statement reads.
In an email, Dave Masson, director of enterprise security for Darktrace, said an attack on the CPA is so dangerous because people have a lot of trust in their accountants. Accountants have access to the most detailed and intimate financial information from organizations and people. “The ability for an attacker to be able to steal an accountant’s identity is invaluable since it would allow them to access sensitive data, ultimately causing damage to companies and people.”
In a statement on Thursday afternoon Perry Jensen, CPA Canada’s media manager, said that for security reasons, the organization won’t discuss the method used by the attacker in this incident. “CPA Canada uses a range of security safeguards to attempt to prevent and detect potential security incidents. Unfortunately, no organization is fully immune from evolving and sophisticated cybersecurity threats. CPA Canada has already strengthened its security safeguards and is committed to identifying and implementing additional measures to further enhance its cybersecurity program.”
“We’d like to add that safeguarding information in our care is a responsibility that CPA Canada takes seriously. We regret that personal information of our members and others has been affected by a cyber-attack of the CPA Canada website. As part of our ongoing commitment to cybersecurity and protecting the information in our care, CPA Canada will continually seek opportunities to implement additional measures to further enhance our cyber-security systems and practices.”
While the information stolen in this breach does not appear to be as devastating as some of the other recent breaches, noted Irfahn Khimji, manager of Tripwire Canada, this is a good opportunity for all organizations to realize that the victims of cyber-attacks can be organizations of all shapes and sizes. In this case, the passwords and credit card numbers stolen were in encrypted. However, the personal information stolen can be used by attackers to further target the victims of this attack. Individuals should take this opportunity to reset their passwords and consider using a password manager so that each of their logins has unique credentials.
“Furthermore, organizations should follow the example of CPA Canada in further enhancing their security measures. Organizations often wait until after a security incident to better their defences. In reality, organizations should optimize their security budgets by focusing on the basic and foundational critical controls, such as those recommended by the Centre for Internet Security. For instance, ensuring that systems are configured securely and vulnerabilities are mitigated is a great first step to limit the attack surface an intruder can use to gain access to these kinds of systems.”
CPA Canada was formed was created six years ago from the merger of bodies representing general, chartered and management accountants. It oversees a professional development and certification program, as well as public awareness on financial issues.
(This story has been updated from the original with the addition of the number of affected people and comments from Perry Jensen and Irfahn Khimji.)