Hackers used Heartbleed bug to steal info on 900 Canadian taxpayers

14 Apr 2014

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Tax ID numbers belonging to 900 taxpayers were stolen from the Canada Revenue Agency’s (CRA) systems by a hacker exploiting the Heartbleed vulnerability, the agency has confirmed.

Last week, a team of researchers found a massive flaw in OpenSSL, an online encryption program used by thousands of websites worldwide that can be manipulated to send the content of a computer’s random access memory (RAM).

OpenSSL is used on public-facing websites such as Gmail, Facebook and PayPal, and it is believed that up to 17pc of the internet could be vulnerable to the bug.

The CRA was one of the first government agencies in the world to shut down its systems and close all front-facing sites when the Heartbleed vulnerability became public knowledge last week.

The agency says it has since worked around the clock to implement a “patch” for the bug, as well as vigorously test all systems to ensure they are safe and secure.

It relaunched its online systems at the weekend.

Vulnerable to Heartbleed

“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” CRA Commissioner Andrew Treusch said.

“Based on our analysis to date, social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed.

“The CRA is one of many organisations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the agency was able to contain the infiltration before the systems were restored yesterday.

“Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.

“Beginning today, the agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach,” Treusch said.

In Ireland, the Revenue Commissioners last week confirmed its public-facing and internal systems have been checked and are safe from the Heartbleed bug vulnerability.

Canadian flag image via Shutterstock

66

DAYS

4

HOURS

26

MINUTES

Buy your tickets now!

Editor John Kennedy is an award-winning technology journalist.

editorial@siliconrepublic.com