Canada's tax agency says the SINs were stolen just hours before it shut down its e-services last week after a global warning was sent out about the software encryption bug, Heartbleed.
Approximately 900 Social Insurance Numbers have been stolen due to the Heartbleed encryption bug, according to the Canadian Revenue Agency.
The CRA says the data breach occurred about six hours before the agency shut down its web services last week. The RCMP is investigating the incident.
“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” said CRA Commissioner Andrew Treusch in a statement posted on the website.
In response, registered letters will be sent to those Canadians affected, and free additional security protection offered to protect against identity theft of unauthorized financial transactions.
The agency’s e-services – including EFILE, NETFILE, My Account, My Business Account and Represent a Client – were back up and running Sunday afternoon after being shut down last Wednesday in response to global warnings against the Heartbleed bug. The bug affects OpenSSL encryption software, used by two-thirds of websites across the Internet to secure sensitive information, including passwords and credit card numbers. Heartbleed was uncovered on April 7 – but apparently existed for two years – and a patch to fix the problem released the same day. The CRA said it worked “around the clock” with Shared Shared Services Canada to apply the patch.
"The Canada Revenue Agency (CRA) is pleased to report that all of its online systems have been restored to full service as of April 13, 2014," a statement said. "Individuals, businesses and representatives are now able to file returns, make payments, and access all other e-services available through the CRA’s website, including all our secure portals."
For financial advisor Mike Lakhani of Tax Matters for Dentists, the Heartbleed bug is a reminder that businesses need to smarten up about security protection. (continued)
#pb#
“This may have come out of nowhere, but it’s a good thing for people to recheck their security and make sure they’ve got the added protection in place,” he says “It’s just as much on us to ensure that we are doing everything we can to protect their privacy.”
The four-day shutdown has been nothing short of a headache for Lackhani’s practice as he and his employees scramble to play catch-up on hundreds of client tax returns, even with an extended tax deadline of May 5 granted by the CRA.
“It’s a lot more stress and work for us as we do a ton of returns, well over 1,600 at this time of year,” he says. “Millions of people are going to be trying to get (into the system) at the same time and it’s going to be another hold up.”
Lackhani is taking heed of the security breach, saying that his company has multiple layers of security to protect clients' personal information.
“This issue about security and privacy has been a big thing for us for a long time. We have added a lot more firewalls and we keep on improving that,” he says.
The CRA website was not the only government website affected by Heartbleed. All federal government departments disabled their public websites until security updates had been made. The CRA is now advising Canadians to change their user IDs and passwords to access its online services.
Related Stories:
CRA website shutdown persists
CRA shuts down website
