The Canada Revenue Agency (CRA) has revealed that attackers exploiting the recently discovered Heartbleed bug have stolen the social insurance numbers of 900 Canadians from the agency’s website.
The agency said it became aware of the breach while updating the website to protect it against exploit of the Heartbleed bug, reports the CBC.
The data theft is believed to have taken place in the six-hour period before the public section of the agency’s website was blocked to carry out the security upgrade.
The CRA is investigating whether any of the stolen information relates to Canadian businesses.
The agency says those affected will be contacted by registered letter only and that no attempt will be made to contact taxpayers by email or phone.
The CRA is also offering free credit protection services to any taxpayers affected by the breach.
More on Heartbleed
- Heartbleed denial reveals loophole for NSA spying
- Cisco and Juniper warn of products hit by Heartbleed bug
- The Heartbleed genie is out of the bottle – now what?
- EFF calls for rapid mitigation of Heartbleed internet bug
- OpenSSL vulnerability 'Heartbleed' may have exposed encrypted traffic
- OpenSSL security flaw could affect millions of websites, warn researchers
Keith Bird, UK managing director of security firm Check Point, said the attackers were alert to the vulnerability, and quick to exploit it.
“The agency has done the right thing by stating it will contact those affected by registered letters only,” he said.
Bird said other similar announcements are likely in the coming days.
“It is important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed.
“There is a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he said.
Large hardware, software and internet service providers have moved quickly since the two-year-old bug was made public by security researchers on 8 April 2014.
However, hundreds of thousands of IT systems in both private and public-sector organisations will remain vulnerable to data theft until the affected versions of OpenSSL can be updated.