The Canada Revenue Agency (CRA) has suffered a data breach thanks to the Heartbleed vulnerability, losing about 900 Social Insurance Numbers (SIN) of taxpayers stored in its database.
First reported last week, the Heartbleed bug is a vulnerability in Open Secure Sockets Layer (SSL), an open source project for encrypting communications over the Internet. The vulnerability allows hackers to read the memory of the systems using certain versions of OpenSSL, giving them the secret keys used to read encrypted communications like names, passwords, and the content of the messages – including valuable data like SIN numbers.
The CRA shut down its site on Apr. 8 so it could implement a patch, despite being in the midst of a busy tax season, and had just brought it back to full service on Sunday, allowing individuals and businesses to file returns and make payments. However, in a letter posted to the CRA website on Monday, CRA commissioner Andrew Treusch wrote a hacker still managed to gain access to the CRA’s databases, siphoning off data over a six-hour period.
The CRA informed the Privacy Commissioner of Canada about the data breach on Apr. 11, and the RCMP is also investigating, Treusch wrote. He added there have been no other infiltrations of the CRA’s databases before or after this breach, although the agency is currently analyzing other pieces of data, potentially business-related, that the hacker may have also stolen.
“As the Commissioner of the CRA, I want to express regret to Canadians for this service interruption,” Treusch said. “In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.”
Each person who has lost their SIN number due to the breach will be informed by a registered letter, and these people can use a 1-800 line to call the CRA for information on how to protect their SINs. However, the CRA will not call or email anyone about the breach for fear of phishing schemes.
Despite the CRA’s decision to come forward and publicly disclose it has been breached, the only other organizations likely to follow suit are government agencies, says Robert Beggs, founder and CEO of Digital Defence.
“I’m not expecting to see any more organizations doing this, because breach reporting is not a mandatory requirement,” he says. “Heartbleed has been around for at least two years, but people are not looking to see the information leaving their networks.”
Beggs says despite the CRA’s assurance there have been no other infiltrations, or attackers trying to get in, he’s concerned about whether that includes exfiltrations and whether data has been stolen from its databases without the agency’s knowledge.
He adds that’s because organizations are usually more interested in seeing what information is coming into their networks, which could warn of a possible intrusion – but they don’t always watch to see what’s going out because they don’t have adequate monitoring technology.
“This is very difficult to detect, and the CRA only did it accidentally … The vast majority of organizations will miss this,” Popa says. He adds the federal government’s plans to make it mandatory for organizations to disclose data breaches might even encourage businesses to be less proactive in looking for possible breaches, or to avoid investing money into breach detection tools.
“This has been going on for decades. For some businesses, it’s better not to know they’ve been breached than to suddenly be accountable. It’s a can of worms for a lot of organizations … they all believe privacy legislation doesn’t have teeth.”