Cyber Incident Victim: Meyers Norris Penny
Date:
Apr 2020
Location:
Canada
Summary
A Canadian accounting firm experienced a significant cyberattack, suspected to be ransomware, prompting a company-wide system shutdown to contain the incident. The disruption forced most offices offline for approximately one week, halting operations and preventing employees from working. During the outage, the organization deducted banked overtime hours from affected staff, leading to internal dissatisfaction over the handling of workforce impacts. The firm engaged cybersecurity experts and law enforcement, with an ongoing investigation to determine potential data compromise. While the attack’s full scope remained under assessment, no ransomware group had publicly claimed responsibility or leaked data at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 5, 2020, Canadian accounting firm MNP discovered a cyberattack impacting its systems, prompting an immediate company-wide shutdown of all IT infrastructure to contain the incident. The attack, described by employees as ransomware, led MNP to instruct staff via text messages to bring laptops to offices for security checks before any reconnection to servers. With over 80 offices affected, most remained offline throughout the subsequent week as forensic investigations continued, forcing widespread office closures and operational paralysis. Accountants, unable to perform their duties during this period, were placed on standby pending system restoration. MNP’s Senior Vice President of Marketing, Randy Mowat, publicly confirmed the cybersecurity incident, emphasizing rapid containment efforts and collaboration with external cybersecurity experts and law enforcement. The investigation remained ongoing at the time of reporting, with MNP unable to confirm whether client data was compromised, though they pledged direct notification to affected clients if evidence of data theft emerged.
The attack caused significant workforce disruption, particularly regarding employee compensation. MNP deducted approximately 32 hours of banked overtime—accrued hours beyond the standard 37.5-hour workweek—from affected staff to offset the downtime, sparking internal criticism. Employees expressed frustration over this policy, with one labeling the deduction unfair given the company’s role in the security failure. Operational impacts extended beyond payroll adjustments, as the week-long shutdown halted client-facing services and internal workflows firm-wide. While no ransomware group claimed responsibility during the investigation, the article contextualized the incident within broader ransomware trends, noting that data exfiltration prior to encryption had become a common tactic among groups like Maze, REvil, and DoppelPaymer. MNP declined to comment further on the attack’s specifics or its overtime policy, leaving unresolved questions about the attack’s origin, scope, and long-term implications for client data confidentiality.