Feeds

Canadian taxman says hundreds pierced by Heartbleed SSL skewer

900 social insurance numbers nicked, says revenue watchman

Securing Web Applications Made Simple and Scalable

The Canadian Revenue Agency has blamed the theft of 900 social insurance numbers on the infamous Heartbleed vulnerability.

The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is modest, but that Heartbleed has scored a confirmed hit on a high profile victim.

The agency said today it had become aware of the breach while updating its systems to squash the Heartbleed bug. The theft reportedly happened during a six-hour period after the security flaw was discovered but before the agency blocked public access to its online services on Wednesday 9 April, to fix the vulnerability.

In a statement, the CRA said that preliminary results of its ongoing investigation suggest that the breach was limited to a small percentage of Canadian taxpayers and attributable to the Heartbleed bug alone rather another pre-existing security problem.

Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

The CRA is one of many organisations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.

Canadian tax authorities are in the process of notifying affected parties by letter, a sensible precaution since any attempt to notify people by phone or email could easily be exploited by those hoping to trick people into handing over sensitive information.

Keith Bird, UK managing director of security vendor Check Point, commented: "Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent.

“I believe we’ll see more announcements like this over the coming days. So it’s really important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There’s a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he added.

Local coverage of the incident can be found in a report by CBC News here. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.