Approximately 900 Social Insurance Numbers have been stolen due to the Heartbleed encryption bug, according to the Canadian Revenue Agency.
The CRA says the data breach occurred about six hours before the agency shut down its web services last week. The RCMP is investigating the incident.
“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” said CRA Commissioner Andrew Treusch in a statement posted on the website.
In response, registered letters will be sent to those Canadians affected, and free additional security protection offered to protect against identity theft of unauthorized financial transactions.
The agency’s e-services – including EFILE, NETFILE, My Account, My Business Account and Represent a Client – were back up and running Sunday afternoon after being shut down last Wednesday in response to global warnings against the Heartbleed bug. The bug affects OpenSSL encryption software, used by two-thirds of websites across the Internet to secure sensitive information, including passwords and credit card numbers. Heartbleed was uncovered on April 7 – but apparently existed for two years – and a patch to fix the problem released the same day. The CRA said it worked “around the clock” with Shared Shared Services Canada to apply the patch.
"The Canada Revenue Agency (CRA) is pleased to report that all of its online systems have been restored to full service as of April 13, 2014," a statement said. "Individuals, businesses and representatives are now able to file returns, make payments, and access all other e-services available through the CRA’s website, including all our secure portals."
For financial advisor Mike Lakhani of Tax Matters for Dentists, the Heartbleed bug is a reminder that businesses need to smarten up about security protection. (continued)