With most industries, there is a trade association or group.
The focus with these is to bring together leaders and members to discuss
issues, communicate messages to the membership and be a portal for the industry.
Accounting is no different. In the US, we have the AICPA which functions to
administer these tasks. This is accomplished is a timely, exceptionally
professional manner. Canada is no different in that the accounting industry
likewise has this for our northern friends. Another commonality is these are
generally targets due to the data they hold for their clients. The Chartered
Professional Accountants Canada (CPA Canada) recently found this out, as they
were breached.
CPA Canada
Just as the name implies, the organization is involved with
Canadian accountants, representing the over 210k members. The organization
provides accounting and guidance for its membership. This service is vital
for business, accounting firms, and the stock market.
Attack
The organization was
unfortunately the victim of a successful phishing attack. The organization on June
3, 2020 notified the affected parties of the breach. Curiously, the organization
was aware of the attack on April 24th, meaning it took over a month
to notify the persons. The organization will not be disclosing the methodology
used in the attack. On a level, this is understandable. The organization may
not want the details published as these may be used in other attacks as
indications of their security posture. After the issue is corrected though,
this could be used as a learning tool or use case for others.
Data
CPA Canada definitely held useful information for the
attackers to focus on. This included the member's personal information. This included
their contact details (names, addresses, email addresses, and employer name). The
passwords and credit card numbers, fortunately, were encrypted. The list of
persons was primarily composed of the CPA Magazine subscribers. This wasn’t just
on the members, but also the stakeholders, totaling over 329k persons. Granted the data involved was confidential.
However, this could have been much worse if the other data was not encrypted,
or if the attackers were able to pivot from this point and gain access elsewhere.
Post-Breach
The organization has notified its members and others whose
data was affected, of the breach. The members and stakeholders were recommended
to change their passwords. The organization is also working with cybersecurity
personnel to verify the system is secure and exactly what data was copied from
them. In addition, they naturally also contact the appropriate law enforcement,
the Canadian Anti-Fraud Centre, and other privacy authorities.
One point from this to be used is phishing continues to and
will be for the foreseeable future, an absolutely viable attack. This has
proven to be successful and will not slow down. The organizations need to
continue training for this with their employees. The system may be completely
secure, however, all it takes is the right person in the right department to
click the link, attachment, etc., and we are off to the races.
References
Solomon, H. (2020, June 4). Canadian accounting association
website gets hacked. Retrieved from https://www.itworldcanada.com/article/canadian-accounting-association-website-gets-hacked/431712
Solomon, H. (2020, June 8). Canadian accounting association
website gets hacked. Retrieved from https://business.financialpost.com/technology/tech-news/canadian-accounting-association-website-gets-hacked
The Canadian Press. (2020, June 4). Canadian accountants’
association suffers cyberattack; data of nearly 330k affected. Retrieved from https://globalnews.ca/news/7025862/cpa-canada-accountants-cyberattack/
The IJ Staff. (2020, June 4). CPA Canada hacked, subscriber
information exposed. Retrieved from https://insurance-portal.ca/article/cpa-canada-hacked-subscriber-information-exposed/
No comments:
Post a Comment