Cybersecurity and Accounting
With most industries, there is a trade association or group. The focus with these is to bring together leaders and members to discuss issues, communicate messages to the membership, and be a portal for the industry. Accounting is no different. In the US, we have the AICPA which functions to administer these tasks. This is accomplished is a timely, exceptionally professional manner. Canada is no different in that the accounting industry likewise has this for our northern friends. Another commonality is these are generally targets due to the data they hold for their clients. The Chartered Professional Accountants Canada (CPA Canada) recently found this out, as they were breached.
Just as the name implies, the organization is involved with Canadian accountants, representing the over 210k members. The organization provides accounting and guidance for its membership. This service is vital for business, accounting firms, and the stock market.
The organization was unfortunately the victim of a successful phishing attack. The organization on June 3, 2020, notified the affected parties of the breach. Curiously, the organization was aware of the attack on April 24th, meaning it took over a month to notify the persons. The organization will not be disclosing the methodology used in the attack. On a level, this is understandable. The organization may not want the details published as these may be used in other attacks as indications of their security posture. After the issue is corrected though, this could be used as a learning tool or use case for others.
CPA Canada definitely held useful information for the attackers to focus on. This included the member’s personal information. This included their contact details (names, addresses, email addresses, and employer name). The passwords and credit card numbers, fortunately, were encrypted. The list of persons was primarily composed of the CPA Magazine subscribers. This wasn’t just on the members, but also the stakeholders, totaling over 329k persons. Granted the data involved was confidential. However, this could have been much worse if the other data was not encrypted, or if the attackers were able to pivot from this point and gain access elsewhere.
The organization has notified its members and others whose data was affected, of the breach. The members and stakeholders were recommended to change their passwords. The organization is also working with cybersecurity personnel to verify the system is secure and exactly what data was copied from them. In addition, they naturally also contact the appropriate law enforcement, the Canadian Anti-Fraud Centre, and other privacy authorities.
One point from this to be used is phishing continues to and will be for the foreseeable future, an absolutely viable attack. This has proven to be successful and will not slow down. The organizations need to continue training for this with their employees. The system may be completely secure, however, all it takes is the right person in the right department to click the link, attachment, etc., and we are off to the races.
Solomon, H. (2020, June 4). Canadian accounting association website gets hacked. Retrieved from https://www.itworldcanada.com/article/canadian-accounting-association-website-gets-hacked/431712
Solomon, H. (2020, June 8). Canadian accounting association website gets hacked. Retrieved from https://business.financialpost.com/technology/tech-news/canadian-accounting-association-website-gets-hacked
The Canadian Press. (2020, June 4). Canadian accountants’ association suffers cyberattack; data of nearly 330k affected. Retrieved from https://globalnews.ca/news/7025862/cpa-canada-accountants-cyberattack/
The IJ Staff. (2020, June 4). CPA Canada hacked, subscriber information exposed. Retrieved from https://insurance-portal.ca/article/cpa-canada-hacked-subscriber-information-exposed/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.