The federal tax agency says the social insurance numbers of roughly 900 people were stolen from its systems, which were left vulnerable by the so-called Heartbleed bug.
The Canada Revenue Agency blocked public access to its online services for several days last week until it addressed the security risk, but said Monday there was nonetheless a data breach over a six-hour period.
It said it is analyzing other fragments of data that have been removed from its systems, while putting measures in place to protect those affected by the breach.
“I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act,” CRA commissioner Andrew Treusch said in a statement.
“CRA online services are safe and secure. The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.”
Ray Vankrimpen, a partner with the accounting firm Richter who specializes in risk management, told 680News that with the kind of information obtained with the Heartbleed bug, criminals can do a lot of damage.
“All sorts of credit services could be made under different aliases,” he explained. “Your credit score will be damaged and (it) takes a long time to sort through that. It’s a real hassle.”
Everyone affected will receive a registered letter and free access to credit protection services, the CRA said.
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy.
The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
Vankrimpens said this kind of bug was only noticed after there was a problem and similar vulnerabilities may exist now but haven’t been detected yet.
“Organizations wouldn’t really know if they were susceptible to this type of vulnerability ahead of time,” he said. “It just, through the public awareness, became known.”
Alberta computer security expert John Zabiuk suspects there’s a wave of problems coming.
“Right now, we’re just seeing the tip of the iceberg,” he said. “This is probably the largest flaw that’s hit the Internet in history.”
Zabiuk is with the Northern Alberta Institute of Technology in Edmonton, where, as an ethical hacker, he teaches students to protect computer systems by approaching the problem from a hacker’s perspective.
Zabiuk says officials are likely to discover a much bigger cache of information has been compromised.
“Realistically, with over two thirds of all servers compromised online with this vulnerability, we’re going to be seeing a lot more fallout from this,” he said.
The problem is that the bug has been loose for two years, said Zabiuk.
“So what we’re seeing with the 900 users that they say have been affected or compromised — that’s just in the last two weeks that they’ve been keeping track of what’s going on with this,” he said.
“Prior to this, again it’s been out for over two years, so what’s gone on in that span of time?”
Service was restored Sunday to all publicly accessible Government of Canada websites as well the tax-filing systems E-file and Netfile.
The CRA has apologized to Canadians for the delay and inconvenience, but added it was necessary to ensure the agency’s online services were safe and secure.
It said it will not apply interest or penalties to individual taxpayers filing their 2013 tax returns after April 30 for a period equal to the length of last week’s service interruption.
That means 2013 tax returns filed by May 5 will not incur interest or penalties.
With files from 680News