Hackers used Heartbleed bug to steal info on 900 Canadian taxpayers

14 Apr 2014

Tax ID numbers belonging to 900 taxpayers were stolen from the Canada Revenue Agency’s (CRA) systems by a hacker exploiting the Heartbleed vulnerability, the agency has confirmed.

Last week, a team of researchers found a massive flaw in OpenSSL, an online encryption program used by thousands of websites worldwide that can be manipulated to send the content of a computer’s random access memory (RAM).

OpenSSL is used on public-facing websites such as Gmail, Facebook and PayPal, and it is believed that up to 17pc of the internet could be vulnerable to the bug.

The CRA was one of the first government agencies in the world to shut down its systems and close all front-facing sites when the Heartbleed vulnerability became public knowledge last week.

The agency says it has since worked around the clock to implement a “patch” for the bug, as well as vigorously test all systems to ensure they are safe and secure.

It relaunched its online systems at the weekend.

Vulnerable to Heartbleed

“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” CRA Commissioner Andrew Treusch said.

“Based on our analysis to date, social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed.

“The CRA is one of many organisations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the agency was able to contain the infiltration before the systems were restored yesterday.

“Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.

“Beginning today, the agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach,” Treusch said.

In Ireland, the Revenue Commissioners last week confirmed its public-facing and internal systems have been checked and are safe from the Heartbleed bug vulnerability.

Canadian flag image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years