900 SINs stolen from CRA website
Posted Apr 14, 2014 10:03:09 AM.
This article is more than 5 years old.
The Canada Revenue Agency says the Social Insurance Numbers of 900 Canadians have been stolen from its website.
It says it happened during a six-hour period when the site was destabilized by the Heartbleed bug.
Each affected person will receive a registered letter to inform them of the breach.
A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN.
The CRA will also provide those who have been affected with access to credit protection services at no cost.
Here is the official statement from the Canada Revenue Agency website:
After learning that the Canada Revenue Agency (CRA) systems were vulnerable to the Heartbleed bug, the CRA acted quickly to protect taxpayer information by removing public access to its online services on April 8, 2014.
Since then, CRA worked around the clock to implement a “patch” for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services late yesterday.
Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.
The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.
Beginning today, the Agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN. The Agency will not be calling or emailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.
The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity.
On April 11, 2014, I informed the Privacy Commissioner of Canada of the breach. The RCMP are investigating.
Andrew Treusch
Commissioner
