In the days following the discovery of the Heartbleed bug, the Internet has gone from sheer panic to anger over allegations that the NSA used the vulnerability for intelligence purposes. Then there was the denial phase, which Cloudflare instigated by saying that the bug does not allow access to the private SSL keys of websites. Now we’re about to circle back to fear with news that attackers exploited the vulnerability to remove the Social Insurance Numbers (SIN) of hundreds of taxpayers from the registry of the Canada Revenue Agency (CRA). The SIN is a nine-digit number that is required to work in the country and receive government benefits; it’s the Canadian version of U.S. Social Security Numbers.
According to a statement from CRA Commissioner Andrew Treusch, the agency shut down its online services on April 8. Its website went back online on April 13, after implementing a patch for the Heartbleed bug.
“Regrettably, the CSA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to data, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by exploiting the Heartbleed vulnerability,” Treusch said.
Aside from the SINs of taxpayers, other fragments of data that relate to businesses were also removed. The Royal Canadian Mounted Police (RCMP) is currently investigating the matter.
To make it up to affected taxpayers, the CRA will provide credit protection services for free. It will also send registered mail to inform them of the breach, in hopes of side-stepping phishing schemes. The letter will contain a 1-800 number to help people protect their SINs.