CRA loses personal data to Heartbleed bug

The CRA is reporting that 900 SINs were stolen from their data banks before it was able to shut down public access.

  • Apr. 16, 2014 11:00 a.m.

by Jeff Nagel

Black Press

The Canada Revenue Agency says the social insurance numbers of 900 taxpayers were stolen last week by someone using the Heartbleed encryption vulnerability before the taxation agency shut down public access to its online services.

It happened over a six-hour period by someone exploiting the vulnerability in many supposedly secure websites that used an open-source encryption system.

The CRA said it will send registered letters to affected taxpayers and will not be emailing them because it doesn’t want fraudsters to use phishing schemes to further exploit the privacy breach.

“I want to express regret to Canadians for this service interruption,” CRA commissioner Andrew Treusch said. “I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.”

Other personal data and possibly businesses’ information may also have been lost.

“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” Treusch said.

Taxpayers whose data was compromised will get bolstered CRA account protection and free access to credit protection services.

Canada’s Privacy Commissioner is also investigating.

Online services, including the E-file and Netfile online income tax portals, were patched and re-launched Sunday after what the CRA called a vigourous test to ensure they are safe and secure.

The CRA cut off access to those services April 8 as word spread that the Heartbleed bug had given hackers access to passwords, credit card numbers and other information at many websites.

People whose income tax filing was delayed by last week’s CRA interruption have been given until May 5 – beyond the usual April 30 filing deadline – to file returns without being penalized.

The Heartbleed vulnerability compromised secure web browsing for up to two years at some sites despite the display of a closed padlock that indicates an encrypted connection.

Just Posted

Cache Creek council votes to rejoin local transit system

Details need to be worked out, but hopes are that change can be expedited

Ashcroft residents get information at Community Forum

Water treatment plant, recycling, an Eco-Depot, the budget, and more among items addressed

Elizabeth May’s wedding will be a ‘low-carbon affair’ in Victoria on Earth Day

Green party leader’s wedding party to depart in a cavalcade of electric cars

Gas prices spike in northern B.C. ahead of the long weekend

Fuel went up 17 cents overnight in Prince Rupert

VIDEO: Alberta man creates world’s biggest caricature

Dean Foster is trying to break the world record for a radio show contest

Chaos at the ferry terminal for people heading from Vancouver to the Island

Easter crowds create backlog at Tsawwassen ferry terminal

Parents of 13 who tortured children get life after hearing victims

One of their daughters fled their home and pleaded for help to a 911 operator

Flooding, climate change force Quebecers to rethink relationship with water

Compensation for victims of recurring floods limit to 50% of a home’s value, or a maximum of $100,000

Storms blast South, where tornadoes threaten several states

9.7 million people in the Carolinas and Virginia at a moderate risk of severe weather

Private cargo ship brings Easter feast to the space station

There are three Americans two Russians and one Canadian living on the space station

Notre Dame rector: “Computer glitch” possible fire culprit

The fire burned through the lattice of oak beams supporting the monument’s vaulted stone ceiling

Should B.C. lower speed limits on side roads to 30 km/h?

Vancouver city councillor wants to decrease speed limits along neighbourhood side roads

Lawsuit eyed over union-only raise for B.C. community care workers

‘Low-wage redress’ leaves 17,000 employees out, employers say

Most Read