Cyber Incident Victim: Association of Professional Engineers and Geoscientists of Alberta
Date:
Sep 2015
Location:
Canada
Summary
Hackers conducted a phishing attack by impersonating the chief executive officer of the Association of Professional Engineers and Geoscientists, resulting in unauthorized disclosure of member information including private emails. While no database compromise occurred and financial data remained secure, the breach prompted immediate password resets for self-service accounts, notifications to law enforcement and privacy authorities, and an independent investigation. The organization implemented enhanced approval protocols requiring verbal confirmation from senior management for data releases and established a temporary call center to address member concerns, treating the incident as an opportunity to strengthen internal security practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 21, 2015, the Association of Professional Engineers and Geoscientists (APEGA) discovered a phishing attack targeting CEO Mark Flint’s email account, resulting in unauthorized disclosure of member information to an unknown third party. The attackers impersonated Flint via email to fraudulently request and obtain confidential member data, though APEGA confirmed its core membership database remained uncompromised. No financial data such as credit card details or system passwords were exposed in the breach. The compromised information included private email addresses of APEGA’s 75,000 members, though member names—already publicly accessible—were also part of the exfiltrated data. APEGA initially characterized the incident as a “significant” breach upon discovery. As an immediate consequence, members were required to reset their passwords to access APEGA’s self-service portal, which handles dues payments, personal information updates, and other membership functions. CEO Flynn issued a personal video apology to members acknowledging the inconvenience caused. The organization promptly engaged law enforcement by reporting the breach to the Edmonton Police Service and notified the Alberta Privacy Commission to comply with regulatory obligations.
APEGA initiated multiple response measures, including commissioning an independent forensic investigation to determine the attack’s scope and origins. The association established a temporary call center to manage member inquiries throughout the weekend following the breach. Internally, APEGA revised its data release protocols to mandate verbal authorization from senior management for any future information disclosures, eliminating reliance on email approvals. Communications lead Philip Mulder emphasized a focus on organizational learning rather than assigning blame for the incident. While the phishing attack did not penetrate APEGA’s primary databases or expose financial systems, the compromise of private member emails represented a violation of data confidentiality. The incident underscored operational vulnerabilities to social engineering tactics targeting executive communications. APEGA’s response prioritized transparency with regulators and members, procedural reforms to prevent recurrence, and maintaining service continuity through the self-service portal’s password reset requirement.