Canada Revenue agency reports Heartbleed data theft

The Canada Revenue Agency reports that attackers exploiting the Heartbleed bug have stolen the social insurance numbers of 900 Canadians

The Canada Revenue Agency (CRA) has revealed that attackers exploiting the recently discovered Heartbleed bug have stolen the social insurance numbers of 900 Canadians from the agency’s website.

The Heartbleed bug is caused by a flaw in OpenSSL software, which is widely used on the internet to provide data security and privacy.

The agency said it became aware of the breach while updating the website to protect it against exploit of the Heartbleed bug, reports the CBC.

The data theft is believed to have taken place in the six-hour period before the public section of the agency’s website was blocked to carry out the security upgrade.

The CRA is investigating whether any of the stolen information relates to Canadian businesses.

The agency says those affected will be contacted by registered letter only and that no attempt will be made to contact taxpayers by email or phone.

The CRA is also offering free credit protection services to any taxpayers affected by the breach.

Keith Bird, UK managing director of security firm Check Point, said the attackers were alert to the vulnerability, and quick to exploit it.

“The agency has done the right thing by stating it will contact those affected by registered letters only,” he said.

Bird said other similar announcements are likely in the coming days.

“It is important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed.

“There is a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he said.

Large hardware, software and internet service providers have moved quickly since the two-year-old bug was made public by security researchers on 8 April 2014.

However, hundreds of thousands of IT systems in both private and public-sector organisations will remain vulnerable to data theft until the affected versions of OpenSSL can be updated.

Read more on Hackers and cybercrime prevention