“There are only two types of companies: Those that have been hacked and those that will be hacked.” Robert S. Mueller, III, Director FBI made this famous quote but almost by the time he made the quote it was out of date – it should be ‘There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.” read more from Stephen Barnes, Byronvale Advisors
Page Updated 25th August 2020
CPD for Me website crashed on the 19th January 2019 where it had to be rolled back. This occurred again in mid February 2019 with further investigations discovering an internal MidCoastDigital cyber attack with Envato account being accessed with username and passwords changed. where CPD for Me and DentistsCPD website theme and code was stolen which caused website code errors and automated process to cease.
CPD for Me do not store or save financial data or subscriber passwords. We use PayPal and Stripe, both of which are secure third party payment gateways.
We have not had one report of a subscriber CPD for Me account being compromised. The current website is working in Chrome, Internet Explorer, Edge and Safari. Some subscriber accounts have had LogCPD issues. Please advise any LogCPD or code errors appearing on any page so they can be rectified.
Our dedicated server hosting plan means that our websites are the only sites hosted on our server with limited access by authorised staff. Cyber security has always been a priority.
We believe CPD for Me processes were not the cause of this breach and we have taken action to ensure and establish a dedicated hosted secure platform (again) for subscribers to access content and LogCPD to complete online CPD requirements. We are currently completing user testing on our new website which we commence beta testing late September 2020.
We have been working with Frank Downes, Juris IT, online platforms, cyber security experts, lawyers and Police and Cyber Crime Fraud Investigation.
Following an investigation with Juris IT, cyber security experts, we now have a better understanding of the impact of our 2018 cyber attack and want to provide as much context as we can to subscribers as it appears the intruder/s specifically targeted the removal of company assets, former client files and to cease automation.
Our first response was to:
- Secure cpdforme.com.au website and data
- Secure Envato Account
- Go on with the show – CPD-LIVE 2019 March Webinars which were conducted 7 days a week
- Contact (former) employee IT support staff on holidays who did not return to work or resign after holidays;
- Contact (former) MidcoastDigital client DentistsCPD who stated they believe we had an employee issue;
- Notify Police;
- Run audit and user reports;
- Update Lastpass user accounts and passwords;
- Contact Telstra and lock down Microsoft 365 Account;
- Contact Telstra and change WiFi password (replaced modem);
- Transferred CPD for Me to another dedicated server;
- Rolled back CPD for Me website from December 2018 backup;
- Advised subscribers to update email preferences;
- Published 2017-18 CPD for Me on-demand content only via Go1 Premium Platform to ensure continuity and availability (Large corporates and international firms)
(CLICK TO ARTICLE >> “CPD for Me is the provider Go1 clients seeking legal updates asked for”);
- Obtain legal advice
What did the attacker do?
- 27th & 29th December 2018 accessed cPanel and audit reports clearly show IP address of former employee modifying websites and transferred former client website;
- 30th December 2018 accessed LastPass Account and IP address of former employee exporting company and personal passwords;
- 13th January 2019 an intruder accessed our Microsoft 365 Administration Account and set up inbox rules to cease email notifications of changes to key services;
- 13th January 2019 intruder hacked our Website account and launched denial of service attack on CPD for Me;
- 14th February 2019 accessed Slack account, one of our internal communications system accessed; and
- Online Marketing Video Account was deleted and we lost 2017 – 2019 marketing and promo videos.
- May 2020 Development website which was lost in initial attack became active and activated our plugins which ceased current website automation (again).
Our investigations continue with this deliberate attack with police and cyber crime fraud unit.
What has CPD for Me done about it?
Ongoing investigations and legal counsel sought as we continue to invest heavily in security.
Our first priority was, and is still, to protect company assets and subscribers data.
- Created a new Lastpass account and changed passwords again;
- Adopted two step verification on sign-in with online accounts;
- Created notifications for any account accessed or changed;
- Installed a new modem;
- Purchased new laptop and desktop;
- Reset all other computers and devices back to factory settings;
- Previous Telstra Microsoft Office 365 account locked;
- Purchased new mobile; and
- Automate website and process again while we develop our new website.
Here’s what CPD for Me are currently doing:
- Hired new team and completed integrity testing on all employees;
- Implemented Juris IT Microsoft 365 Account with Azure P1 added device security protection;
- Developing new simple and easy to use website – subscribe, click, watch & LogCPD;
- Notifying our users: We want our subscribers to know that we do not store user passwords or any financial data. We use PayPal, a secure third party for all financial transactions;
- Completing speaker reports and paying experts who opt in to receive shared revenue;
- Report pages with errors due to ongoing code errors please advise us via web chat or email;
- As a precaution, we’re encouraging everyone to be wary of suspicious emails. Attackers often use creative methods to trick you into handing over your personal information. If you do receive any emails that you believe are suspicious, do not click on them and do not respond. We encourage you to flag them with your email provider;
- Use a password manager: We recommend you use a password manager such as Lastpass or Google Chrome to generate and remember a unique, secure password for each site you use; and
- Prompting users to change passwords: We ask all users to reset their passwords set before the attack to change them.
A final word from Paula
- We are proceeding with legal counsel, as stealing trade secrets and intellectual property is a crime. Trust is not a business strategy and conduct regular audit reports of online activities.
Thank you to our speakers and subscribers for their continued patience and support. I would like to thank Automation Agency, who have been our away team since 2016. Their invaluable assistance to protect and move our websites so quickly to a new dedicated server truly was a blessing. Their quick response to this cyber threat allowed us to transact in a safe and secure environment.
I would like to also thank our Australian team who assisted us to keep the doors open which included Bronwyn Pott who has been with me from the start in 2013 and Barbara, Luke, Jacob, Tracey, Frank, Sharn, Kate, Veronica, Hannah, Abel, Brandon and Jack – thank you for your time and efforts.
This has been a personal attack at me and my family by a disgruntled employee. I am deeply sorry that this has happened. As a small business owner you depend on your team to do the right thing. It has been so sad to speak with several subscribers who have also faced similar issues with staff or have been hacked. I was alarmed to hear all their stories which included some lawyers closing down their practices. Others are limping along and just trying to keep their doors open and recover. Some of the cyber security incidents included staff walking out with precedents on USB, staff clicking on dodgy emails which resulted in trust funds being stolen ($200k to $13 million), viruses and devices being wiped with ransomware.
Everyone at CPD for Me has been on the receiving end of updates like this, and at a personal level we know how upsetting and downright devastating it can be. We want to rebuild and regain the trust you have given us, and will work hard to earn it.
That is why I have introduced the Cyber Security Series with Frank Downes in 2020. I am so thankful for his assistance, guidance and support assisting me to effectively lock down our systems from further attacks.
“Cyber Security is No 1 must watch CPD in 2020 to make sure principals protect and secure their firm assets and intellectual property.” ~ Paula Gilmour
On a good note I have not had the opportunity to promote our students being a viable alternative to offshoring your marketing, social media and video productions.
Applications open now for firms, schools and students.
#SAKT (Support Australian Kids Too)
2020 Year 10 – 12 Remote Digital Media & Legal Studies Work Experience Program
Organised by MidCoast Digital (Social Media | Video Production)
Previously referred 2016-2019 as #SOYT (Support Our Youth Too)
Our Youth Our Future however students felt #SAKT was more appropriate for how they felt
I continue to have patience and faith, I trust you will too. My motto is simplify, automate with no more than 4 intuitive steps. This year has been so bitter sweet, heartbreaking on both a professional and personal level as I thought I was assisting a friend develop his start up business yet was betrayed by two people I trusted.
2019-20 content produced is our very best from award winning experts and viewed by over 3500+ firms including international and tier 1 subscribers worldwide.
If you have any comments, suggestions further questions, please email me email@example.com
Click here to schedule 15 minute chat to discuss
* I am eternally grateful for my family love and support.