News

CRA loses taxpayer data to Heartbleed bug

The logo for the Heartbleed bug, which affects roughly 500,000 servers and those using the OpenSSL system. - Heartbleed.com screenshot
The logo for the Heartbleed bug, which affects roughly 500,000 servers and those using the OpenSSL system.
— image credit: Heartbleed.com screenshot

The Canada Revenue Agency says the social insurance numbers of 900 taxpayers were stolen last week by someone using the Heartbleed encryption vulnerability before the taxation agency shut down public access to its online services.

It happened over a six-hour period by someone exploiting the vulnerability in many supposedly secure websites that used an open-source encryption system.

The CRA said it will send registered letters to affected taxpayers and will not be emailing them because it doesn't want fraudsters to use phishing schemes to further exploit the privacy breach.

"I want to express regret to Canadians for this service interruption," CRA commissioner Andrew Treusch said. "I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act."

Other personal data and possibly businesses' information may also have been lost.

"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," Treusch said.

Taxpayers whose data was compromised will get bolstered CRA account protection and free access to credit protection services.

Canada's Privacy Commissioner is also investigating.

Online services, including the E-file and Netfile online income tax portals, were patched and re-launched Sunday after what the CRA called a vigourous test to ensure they are safe and secure.

The CRA cut off access to those services April 8 as word spread that the Heartbleed bug had given hackers access to passwords, credit card numbers and other information at many websites.

People whose income tax filing was delayed by last week's CRA interruption have been given until May 5 – beyond the usual April 30 filing deadline – to file returns without being penalized.

The Heartbleed vulnerability, which has existed for two years, compromised secure web browsing at some sites despite the display of a closed padlock that indicates an encrypted connection.

We encourage an open exchange of ideas on this story's topic, but we ask you to follow our guidelines for respecting community standards. Personal attacks, inappropriate language, and off-topic comments may be removed, and comment privileges revoked, per our Terms of Use. Please see our FAQ if you have questions or concerns about using Facebook to comment.

You might like ...

Fraser facing fines for delayed surgeries
 
Judge tosses contempt charges against oil pipeline protesters due to GPS errors
 
NDP demands audit of Multi-Material BC
Port Moody heritage advocates decry decrepit state of Ioco townsite
 
UPDATED: Burke Mountain emergency call may have been a hoax
 
ELECTION 2014: Plenty of change on School District 43 board of education
Amrik Virk advised Kwantlen on secret executive bonus
 
Cloverdale Calendar: pet pictures with Santa, Christmas craft sales, vintage furniture and more
 
Winter Magic

Community Events, November 2014

Add an Event


Read the latest eEdition

Browse the print edition page by page, including stories and ads.

Nov 28 edition online now. Browse the archives.