Data Breach in CPA Canada
A breach of CPA Canada exposed the personal data of over 300,000 Canadian accountants and stakeholders.
According to existing reports, the information pertained to the distribution of CPA Magazine. CPA Canada said credit card numbers and passwords were encrypted and not among the exposed data. The cyber criminals accessed CPA Canada members’ contact information on the organization’s website.
Approximately 329,000 individuals were notified of the breach and warned of possible attacks in the future.
It warned members to stay vigilant of possible phishing emails, texts or phone calls that may come as a result of the attack.
Taking Secure Steps
Members of CPA Canada will have to check their emails frequently and be careful not to open any attachments from unsolicited messages.
CPA Canada took steps to secure its systems to secure their site, however the breach could have happened months earlier. As is the case with many breaches, it’s difficult to pinpoint when exactly a breach happens.
The association ties the incident to an alert issued in April about a phishing campaign that requested users to change their CPA Canada password due to a website breach. This is a common way cyber attackers gain access to information.
A similar breach occurred after the launch of Disney Plus. Experts say that hackers sent fraudulent emails asking users to “verify” their passwords so they could be saved and sold on the dark web.
They explain that the emails originated from the IT department where the victim was employed. The emails indicates that the IT department suspected a security issue with the domain cpacanada.ca.
This is Nothing New For CPA’s
Unfortunately, this type of event is too common for accounting firms. In April 2020, the IRS issued warnings to taxpayers and firms to be aware of phishing scams involving the stimulus checks from the CARES Act.
Cyber security experts advise accountants to take even greater care of their data especially when working remotely.
Forcing digitalization has left many firms more vulnerable to attacks than ever. The usual types of phishing attacks are all present only now they’re more frequent. Hackers know that firms that had issues shifting to a remote environment left many digital vulnerabilities exposed.
The IRS itself had struggled with enabling employees to work remotely. Changes to internal systems and readjustments made for enabling remote access leaves gaps for attackers firms might not otherwise have.
Some Firms are More Vulnerable Than Others
CPA Canada reports that all activities are normal for now, but things could have turned out much worse. Accounting firms that neglect their cybersecurity can quickly become the victims of hackers. The moment attackers gain access, they encrypt and freeze data until your firm pays their fee.
Larger firms are safer because they perform frequent audits and have security consultants ready in hand. However, smaller firms might not have the resources and cyber security skills necessary to protect themselves.
These firms still deal with sensitive financial information so they become preferred targets by hackers. It’s much easier for a hacker to attack several small firms than one larger one.
Conversely, firms experience attacks caused by spiteful or careless employees. Performing regular backups is better than doing nothing but there is no guarantee the hacker won’t just keep your data hostage. Paying the ransom doesn’t guarantee an end to the attack either.
How Do you Prepare Against Phishing Attacks?
The best way to prepare for an attack is to do incremental backups and consistently testing those backups. Backups are useless if you can’t restore your systems should something happen.
Working Remotely Adds New Risks
Now that CPA firms are working remotely, they might not have the same resources or security measures they would have in an office setting. Firm employees typically access applications through their secured office desktops. Accessing these same applications on a personal device could mean they are easier to breach even with a VPN.
IF a CPA failed to assess the security measures needed to function remotely it can leave the doors open to a cyber attack that breaches systems quickly.
Compliance is Key
A way smaller firms can avoid scenarios like the one mentioned above is by applying best practices when it comes to IT security. Even if you are a smaller firm with limited IT personnel, there are Managed IT services providers that can supply you with the needed boost in security.
How? By doing what the larger firms are doing, applying best practices to all of your systems. A CPA has to follow strict compliance regulations in order to operate. SOX and FINRA regulations, for example, require regular audits that demonstrate sensitive financial data is kept safe.
The added benefit achieving compliance is that it requires a secure IT infrastructure. By auditing and verifying compliance firm are also checking for cyber vulnerabilities.
Cyber criminals have learned that companies are increasingly more difficult to infiltrate by directly breaking through their security systems. That is why they rely on phishing attacks to go around this problem.
Phishing Attacks Still Happen Because They Still Work
In the case of CPA Canada a phishing scam exposed valuable information. Phishing scams are still the most popular form of cyber attack today. That is because it doesn’t target a network, it targets the user.
Phishing is all about manipulating the target into performing an action. It can be downloading an infected attachment or clicking on a malicious link.
With phishing scams, hackers don’t have to worry about the strength of a firm’s network because no matter how strong the network, it’s only as strong as its most gullible employee.
It can be even worse when added to a remote environment. Having a dedicated team of IT experts available 24/7 improves an employee’s chances of avoiding a phishing attack altogether.
Nerds Support has comprehensive IT solutions that allow our technicians to flag and monitor potential email scams. However, the safest action to take if you have a limited IT team is to send suspicious emails over to your IT department rather than opening them yourself.
CPA Canada has contacted the Canadian Anti-Fraud Center and private authorities to conduct a proper investigation. Only time will tell the ramifications of this breach and how vulnerable those affected really are.