Over 300,000 Canadian accountants and related stakeholders have been hit by a breach of a professional member association, it emerged late last week.
The Chartered Professional Accountants of Canada (CPA Canada) revealed in a statement that an unauthorized third party had managed to access personal information after compromising the organization’s website.
Over 329,000 individuals including members and others have been notified and warned of follow-on attacks.
The compromised information relates mainly to the CPA Magazine and includes names, addresses, email addresses and employer names. CPA Canada claimed that passwords and full credit card numbers were encrypted, although didn’t specify what type of algorithm was used to scramble these details.
“CPA Canada today has notified affected individuals that the information involved could be used for the purposes of targeted phishing scams,” the organization said.
“CPA Canada is encouraging affected individuals to remain vigilant about any emails they may receive asking them to provide sensitive information or click on links or attachments, even if they appear to come from CPA Canada or an individual or company they know or trust.”
Although CPA Canada said it took “immediate steps” to secure its systems and work out what had happened, in reality the breach may have taken place several months ago. The organization linked the incident to an alert it issued back in April about an apparent phishing campaign in which users were requested to change their CPA Canada passwords because of a website breach.
“We are told that these emails appear to originate from the IT department of the employer of the individual receiving the message. These emails suggest that their IT department suspects a cybersecurity compromise with the cpacanada.ca domain,” it explained at the time.
“It is important that you do not act on the directions in any such email. CPA Canada continues to monitor the security of its web platform and is not experiencing anything unusual. In addition, the integrity of our password reset process remains secure.”