Confirmed Heartbleed victim: Canada Revenue Agency
Posted on 14 April 2014.
The Canada Revenue Agency (CRA) has been breached by attackers that leveraged the newly discovered Heartbleed bug in OpenSSL and managed to compromise Social Insurance Numbers of some 900 taxpayers, the agency has confirmed on Monday.

The CRA took its online services offline on April 8, after having been informed of the danger that the vulnerability presented to the security of its systems. They have "worked around the clock with Shared Services Canada to apply a 'patch'", and have tested its effectiveness. The services were brought online again on Monday, April 14.

At the same time, they have been informed by the Government of Canada's lead security agencies that they have suffered a breach that lasted six hours.

"Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the agency shared. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

"The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday," they noted. "Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach."

All taxpayers will be getting a registered letter to inform them of the breach, the agency confirmed, but warned that they will not be calling or emailing affected individuals so as not to give phishers the opportunity to trick them with fake emails and calls.

"The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity," they concluded.

"Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent," commented Keith Bird, UK managing director of Check Point.

ďI believe weíll see more announcements like this over the coming days. So itís really important that people are cautious about clicking on any links in emails that they receive from organizations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. Thereís a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords.Ē


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th