Chartered Professional Accountants of Canada (CPA) today disclosed that a cyberattack against the CPA Canada website allowed unauthorized third parties to access the personal information of over 329,000 members and other stakeholders.
CPA Canada is a national organization with more than 217,000 Chartered Professional Accountants as members and one of the largest national accounting bodies in the world.
The national accounting body was created by unifying three other Canadian accounting organizations: the Society of Management Accountants of Canada (CMA Canada), the Canadian Institute of Chartered Accountants (CICA), and the Certified General Accountants of Canada (CGA-Canada).
After discovering the data breach at a yet undisclosed date, CPA Canada contained the incident by taking measures to secure the compromised systems and notified the affected individuals after identifying them.
"The information involved predominately relates to the distribution of the CPA Magazine and includes personal information such as names, addresses, email addresses and employer names," the breach notification reads.
The organizations says that passwords and full credit card numbers were also exposed in the incident but they were all "protected by encryption."
CPA Canada also contacted law enforcement agencies, the Canadian Anti-Fraud Centre, as well as privacy authorities.
"Safeguarding the information in our care is one of our most important responsibilities and we sincerely regret any concern this incident may cause," CPA Canada President and CEO Joy Thomas said.
CPA Canada is also urging affected individuals not to fall victim to future phishing emails that could ask them to disclose sensitive information, click on links, or download malicious attachments, "even if they appear to come from CPA Canada or an individual or company they know or trust."
According to the organization, the attack on the CPA Canada website and the resulting data breach were discovered after a phishing campaign targeted its members in April.
The organizations send a notification to all its members warning them of the ongoing phishing campaign on April 24, 2020.
"We have been made aware of suspicious security email notifications members are receiving asking them to change their CPA Canada password due to a security breach on cpacanada.ca," the phishing alert said at the time [1, 2].
"Members are asked not to act upon suspicious emails that encourage a change of their CPA Canada password. [..] We are informing you directly about these emails, given the large number of members who are visiting CPA Canada’s website.
"CPA Canada continues to monitor the security of its web platform and is not experiencing anything unusual. In addition, the integrity of our password reset process remains secure."
BleepingComputer has reached out to CPA Canada for more details but had not heard back at the time of this publication.