Be careful, Canadian accountants! Your CPA Canada info was hacked
Canadian accounting profession hit by cyberattacks during COVID-19
TORONTO, June 4, 2020 – Canadian accountants should be on the lookout for phishing emails as Canada’s national accountancy body has reported a breach of membership information. Chartered Professional Accountants of Canada (CPA Canada) reported yesterday that its website was attacked between November 30, 2019 and May 1, 2020. It learned of the incident between April 20th and April 24th, and “possible phishing activity relating to its website and email addresses of some CPA Canada members.”
CPA Canada provided updated information today, explaining that “the incident affects over 329,000 individuals, including members and other stakeholders.” The breach, according to CPA Canada, predominately relates to the distribution of Pivot, CPA Canada’s member magazine, which has a circulation that includes stakeholders of the Canadian accounting profession.
The Pivot mailing list includes personal information such as names, addresses, email addresses and employer names. In cases where passwords and full credit card numbers were affected, all were protected by encryption, says CPA Canada. Members received notice that “This includes the first digit and last four digits of your credit card number and your credit card expiry date. Your full credit card number was protected by encryption.”
CPA Canada says provincial and regional CPA associations operate independent websites, portals and systems, and were not targeted in the cyberattack. The national body notified the Canadian Anti-Fraud Centre and issued a notification to members on April 24 but appears to have increased its awareness campaign this week.
Cyberattacks hitting Canadian accounting profession during pandemic
According to Lauren Reid, president of the Toronto-based boutique consulting firm, The Privacy Pro, “Data breaches are increasingly common, in fact many experts advise we should not ask if a data breach will happen, but when. Companies need to prepare in advance so they can respond quickly and investigate. Once they know what happened, transparency is key. They should notify those affected, as well as report the breach to law enforcement and privacy regulators.”
In early April, MNP LLP, the fifth largest accounting firm in Canada, was reportedly hit with a ransomware attack that forced a company-wide shutdown of its systems. Randy Mowat, senior vice-president of marketing at the homegrown Canadian firm, confirmed the cyberattack in a statement later that month. Many employees reported that they were unable to work during the subsequent week as an investigation continued into the breach.
Like most Canadian companies, accounting firms and regulatory bodies have told their employees to work from home during the current COVID-19 pandemic, which has led to increased risk of cybersecurity breaches. “Cybercriminals are taking advantage of the stresses, distractions and uncertainties caused by new work arrangements and technologies, and the fears and uncertainties caused by the COVID-19 pandemic itself, by attacking improperly configured or misused technologies, exploiting technical vulnerabilities, and engaging in various forms of fraud,” writes Bradley J. Freedman of Borden Ladner Gervais LLP, in "Cybersecurity and the COVID-19 pandemic."
Big Four accounting firms Deloitte and PwC have also written advisories on cybersecurity during COVID-19. In Canadian Accountant, Professor Aaron Mauro of Brock University has written on how working from home during the coronavirus pandemic creates new cybersecurity threats.
Says Reid, “With the CPA Canada breach, it appears that no sensitive or financial data was compromised. This means the risk of identity theft is lower, but people should be aware that scammers can use their personal information to cause other kinds of harm. Members who were notified that their information was stolen should be on alert for suspicious emails or calls that ask for information, as they might be phishing attempts.”
CPA Canada members express concern
Canadian accountants are very concerned about the CPA Canada breach, since it appears that sensitive personal information may have been exposed. One chartered professional accountant, who asked not to be identified, told Canadian Accountant that “trust and confidentiality are the cornerstones of our profession. We are currently in the midst of tax season where our clients entrust their personal and confidential data to us and I'm worried that this might lessen their confidence in our ability to keep their data secure.”
The member, who also cited the technology breakdown during the September 2019 CPA Common Final Examination, was concerned as to the payment of annual membership fees currently due, which many members pay by credit card. CPA Canada warns that the data obtained in the April 2020 breach could be used in email phishing scams and encourages those affected to "remain vigilant."
If members have any questions about the cybersecurity incident, they may contact CPA Canada Customer Service at 1.800.268.3793, between 9 a.m. to 5 p.m. (ET), Monday through Friday, or by email at email@example.com. CPA Canada states that it sincerely regrets the incident and wants members to know that it takes the matter seriously. "Protecting your privacy and safeguarding the information in our care is one of our most important responsibilities."
Colin Ellis is a contributing editor to Canadian Accountant.