The Canada Revenue Agency‘s (CRA) Andrew Treusch acknowledged this morning that hackers exploiting the Heartbleed bug have stolen 900 social insurance numbers belonging to Canadian taxpayers.
The CRA removed public access to most of its online services last week on Tuesday, and since then it has been working “around the clock to implement a ‘patch’ for the bug.” Unfortunately, hackers stole the personal information sometime within a six-hour period.
“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” wrote Treusch. “The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls.”
The Canadian taxman also said no other “infiltrations” have happened since, before or after the SIN heist. In order to avoid any phishing schemes, the CRA said it will not contact those Canadians whose SIN numbers have been lost. The CRA will also provide those who have been affected with access to credit protection services at no cost, and it “will apply additional protections to their CRA accounts to prevent any unauthorized activity.”
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. It’s public coming-out party occurred Monday of last week, when it was also revealed that OpenSSL had known about it for a couple of months, without warning the public. Other reports have also surfaced since, revealing that the US’s much-maligned National Security Agency (NSA) knew about the bug for the past two years.
OpenSSL is the open-source encryption standard used by the majority of sites on the web that need to transmit data users want to keep secure. OpenSSL gives users a “secure line” with the person they’re communicating with, whether it be via email or chat. However, because of a programming error in the implementation of OpenSSL, researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.
The flaw was first reported the team at OpenSSL a few months ago, then an independent security firm confirmed the bug. The bug has been in the code for about two years.