CPA Canada Breached and 329,000 Members’ PIIs Exposed

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The Chartered Professional Accountants of Canada (CPA) has announced a catastrophic data breach that has exposed sensitive information concerning approximately 329,000 of its members and other stakeholders. CPA is Canada’s national organization for professional accountants and is one of the largest of its kind in the world. It was formed with the unification of three accountant associations in Canada, so it’s a mega-platform that has brought everyone working in the field under the same umbrella. Unfortunately, while this comes with a set of benefits, it also has its drawbacks, like security incidents that result in large-scale compromises.

The individuals who have been affected by the data breach are receiving notifications where the CPA describes their discovery of an unauthorized third-party accessing their systems. The organization claims to have taken immediate steps to stop the infiltration and safeguard the data. Still, for now, the effects of this mitigatory effort haven’t been determined. The types of data that might have been exfiltrated by the hackers include full names, email addresses, physical addresses, and employer names. Unfortunately, in many cases, there were also full credit card numbers and passwords associated with the listings, but this kind of data was stored with encryption on CPA’s systems. How strong this encryption was, remains everyone’s guess, as the CPA hasn’t provided any details on that part.

In regards to how the breach happened, the timing is pretty interesting. On April 24, 2020, CPA Canada sent out warnings to its members, raising awareness about an ongoing phishing campaign. The emails were trying to direct CPA members to a phishing webpage where they would have to reset their password due to a security breach that happened on the platform. Whether or not that scheme resulted in the stealing of valuable account credentials that somehow opened the door to breaching the actual CPA network remains unclarified.

Whatever the case, CPA ascertains its members that their password system is intact, so they have no reason to worry about their accounts right now. Still, their sensitive PII may have been exfiltrated, so they are advised to treat incoming communications with extra care. The data includes email messages or letters arriving via post. Phone numbers haven’t been exposed, so there’s at least a box that remained unticked. Other than that, you may contact “[email protected]” to request more details about the status of your account at CPA.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: