Heartbleed used for Canada Revenue Agency breach

Approximately 900 Social Insurance Numbers have been accessed over a six-hour period thanks to a Heartbleed exploit.
Written by Chris Duckett, Contributor

Over a six-hour period on April 8, around 900 Social Insurance Numbers were taken from the Canada Revenue Agency.

In a statement released yesterday, the agency provided an explanation for the removal of its systems from the internet last week.

"After learning that the Canada Revenue Agency (CRA) systems were vulnerable to the Heartbleed bug, the CRA acted quickly to protect taxpayer information by removing public access to its online services on April 8, 2014," CRA commissioner Andrew Treusch said.

"Since then, the CRA worked around the clock to implement a 'patch' for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services late yesterday."

CRA confirmed that prior to the taking its services offline, an attacker exploited the agency's Heartbleed vulnerability to take around 900 Social Insurance Numbers, the equivalent of a Social Security Number or Tax File Number. The agency is yet to determine if business data was also accessed.

The Royal Canadian Mounted Police are investigating the matter, and Privacy Commissioner of Canada has been informed of it.

"As the Commissioner of the CRA, I want to express regret to Canadians for this service interruption," Treusch said. "In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act."

Treusch said persons affected by the breach will receive notification of the incident via registered letter rather than by email or phone, in an attempt to negate phishing, and will have access to free credit protection services.

With the deadline to file Canadian tax returns set as April 30, CBC reports that the agency has pushed the deadline out to May 5.

The CRA joins UK parenting site, Mumsnet, as the first confirmed victims of Heartbleed attacks.

Mumsnet founder Justine Roberts told the BBC that hackers accessed the site's database and made off with potentially all login details. She said that she knew a breach had happened when her own account was used to post a message on the site.

The attackers then informed Roberts that her site was not safe from Heartbleed attacks.

Heartbleed CAN confuse

While perfectly safe from Heartbleed, due to its use of a Microsoft-based SAP software stack that did not use OpenSSL, the Commonwealth Bank of Australia managed to utterly confuse its customers yesterday, when the bank posted a blog that said it had "patched against the 'Heartbleed' bug" but customers did not need to change any NetBank passwords.

The situation was muddled even further when a representative from the bank replied to question asking whether the bank was ever vulnerable to Heartbleed with a cookie-cutter response.

"You can rest assured that you can use NetBank and our websites with confidence," the response said. "You do not need to change your NetBank password. We are patched against the Heart Bleed bug. We constantly monitor and stay up to date with the latest security technology to ensure the security of our customers."

With commentators continuing to ask for actual clarification from the bank, an update was eventually made that pointed out that NetBank does not use OpenSSL.

"NetBank does not (and did not) use OpenSSL. All customer data is safe, so customers do not need to change their NetBank passwords or take any action," the update said.

Editorial standards