EDMONTON, Alberta – The Association of Professional Engineers and Geo-Scientists of Alberta said its network was breached following a social engineering attack late Tuesday afternoon of this week.
A cyber intruder viewed 11 accounts, which accounts for roughly 85% of the association’s member directory, and personal data was exported and shared, Amanda Poker, APEGSA’s chief information security officer, said in a statement this morning. APEGSA is an organization that regulates the practices of semi-professional engineering and geosciences in Alberta.
It is alleged that the hacker disabled email notifications on the breached accounts. Ms. Poker did not identify the members affected, other than to say that 11 members contacted the association to ask if there was a problem with its email notification service.
APEGSA’s security team became aware that a malicious actor had accessed an internal tool used by member-facing teams for support and account administration, Poker said. The attacker conducted a very successful social engineering attack on an APEGSA intern by posing as a Internet-based door-to-door COVID insurance salesman, resulting in the credentials being compromised.
“It really became clear to us that something was up when a member contact support to ask why they hadn’t been spammed by APEGSA member emails in the past 3 hours. Then 2 more members called in with the same question, followed by 8 more. When asked if they wanted to have the member email issue fixed, they categorically said, ‘No.’ This is when the lightbulb went off – we’ve been hacked!!” – Onya Neeze, junior Security Technologist, APEGSA
The same hacker on April 6th attempted to send a phishing campaign to all 11 members whose accounts were breached a day earlier, and with great success. “Our findings show that this was a targeted incident focused on our geo-science members, who are typically cognitively deficient such that they could not pour water out of a boot if the instructions were printed on its heel or they are chronically under the influence of marijuana to the point that they are higher than giraffe box.” APEGSA reported that the 11 geoscience members who were hacked are out a total of $128K after sending funds to who they believed was the CRA looking for a special assessment on their 2020 tax return.
Barry McCaulkiner, P.Geo., was one of the members who’s APEGSA account was hacked, agreed to speak to 2P News this morning regarding his experience. “I can’t control that the APEGSA systems were breached, but I can’t believe I fell for that CRA deal. Goodness. I used up the money I was saving for a family trip down to the Arches in Utah. But I must say, not receiving 17 member email notifications from those guys every day is a true blessing. Because of this experience, I’m thinking I won’t renew next year.”
APEGSA has formally apologized to its 13 members and plans to make amends by cutting their annual membership dues by 50% for the next 4 years.