CPA Canada data breach allowed hackers to leak 330k account data

CPA Canada hit by the cyberattack affecting nearly 330,000 individuals

Chartered Professional Accountants of Canada^[1], a.k.a. CPA Canada revealed a data breach^[2] that affected nearly 330k members of the association. According to cybersecurity researchers, the attack has been initiated against the servers of the association, including the official website the cpacanada.ca.

Since the attack is currently under investigation, the company does not expatiate on the details. However, the CPA Canada President and CEO Joy Thomas said that hackers targeted the information regarding the distribution of the CPA Magazine, as well as names, email addresses, and home addresses of the members. Hackers obtained credit card numbers and passwords of 329,000 association members as well. However, CPA Canadian assured that banking information and passwords have been protected by encryption.

A scam campaign initiated back in April might have been a warning from hackers

Back in April 2020, CPA Canada released an official security notice for its members^[3]. According to the association, the inboxes of the association members’ emails have been actively spammed with phishing emails that urged the members to change passwords due to the security breach initiated against the cpacanada.ca website.

We are told that these emails appear to originate from the IT department of the employer of the individual receiving the message. These emails suggest that their IT department suspects a cybersecurity compromise with the cpacanada.ca domain.

Based on the gathered information, the IT department of the association suspected the possible data breach, though it hasn’t been confirmed. However, members have been urged to ignore the phishing emails, especially if they contain hyperlinks to the website of the association where the “Change password” section is disclosed. This domain may be hacked, thus the provided login details can leak to hacker’s hands directly.

Although the exact date of the current CPA Canada security breach is not disclosed yet, it’s very likely that the targeted attack has begun in April and manifested in early June. Upon revelation, the association contracted the Canadian Anti-Fraud Centre^[4] and started working with the law enforcement agencies. All affected individuals have been personally informed about the breach.

Safeguarding the information in our care is one of our most important responsibilities and we sincerely regret any concern this incident may cause.

CPA Canada – is one of the largest national accounting organizations is a huge interest for hackers

Chartered Professional Accountants of Canada (CPA) is a big fish for hackers. The association is one of the largest national accounting organizations all across the world. It unifies the Society of Management Accountants of Canada (CMA Canada), the Canadian Institute of Chartered Accountants (CICA), and the Certified General Accountants of Canada (CGA-Canada) accounting organizations.

CPA’s members are known as the most professional business experts supporting the organizations in Canada, the U.S, Europe, and other continents. It has over 210,000 professional accountants that have acquired valuable experience and data throughout the year of the membership. 

Organizations like CPA Canada is always at a heightened security risk since hackers target big companies that contain valuable data in the servers. This fact is acknowledged by the association itself. Thus, in 2015 it has released an official document called Cyber-Security Opportunities for Smaller Accounting Firms^[5].

Canadian accounting professionals are right to be concerned about IT security because emerging threats are significant and the risk of falling prey to malicious attacks is growing. A security incident can impact organizations on many levels, including time, money, reputation, and their professional status as members of CPA Canada. A data breach raises the likelihood of losing more than just business data. Even more crucially, client data may be lost as well.

According to CPA Canada’s research, a total of 43% of survey respondents have already experienced cyber-attacks that impacted the business significantly. The association is taking measures to protect its members, their data, and reputation. However, hackers create novel methods^[6] to attack suchlike companies, organizations, and associations, thus extra security measures should be taken to ensure protection.