Heartbleed bug: Revenue Canada knew about stolen SINs last Friday

The Canada Revenue Agency knew last Friday that hundreds of Canadians had their social insurance numbers stolen from its website because of the Heartbleed security bug but waited until Monday to make it public.

"The Canada Revenue Agency contacted our office last Friday afternoon to notify us about the attack and of the measures it was taking to mitigate risks and notify affected individuals," said Valerie Lawton, a spokesperson for the Privacy Commissioner's Office in a written statement Monday afternoon.

The commissioner's office later clarified that it was told by CRA that "several hundred Canadians" had their social insurance numbers stolen from the agency's website due to the Heartbleed security bug.

The CRA publicly confirmed the attack Monday morning.

"Social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said in a statement.

The agency said it became aware of the breach while repairing the bug, and that the theft happened over a six-hour period — although the agency didn't specify what six-hour period is in question, and isn't offering further explanation beyond a statement posted on its website.​

"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," the CRA said.

The agency said those affected will be contacted via registered letters, and that any attempts to contact a taxpayer via email or telephone are fraudulent.

Murray Rankin, the NDP critic for national revenue, says the government has to come clean and tell Canadians exactly what its agencies know.

"This king of identity theft possibility is frightening to a lot of Canadians and the government has to tell us a lot more than they are telling us," Rankin said in an interview with CBC News.

Rankin said the government needs to explain, among other things, why it took the CRA days to repair the vulnerability while some banks were able to fix the problem right away.

"How is it that our banks can look after security so effectively… whereas the Canada Revenue Agency which has such sensitive information hasn't been able to keep our secrets?" Rankin asked.

The loss of a social insurance number is among the most serious and dangerous forms of identity theft.

"Along with other personal information, someone may be able to use your SIN to apply for a credit card or open a bank account, rent vehicles, equipment, or accommodation in your name, leaving you responsible for the bills, charges, bad cheques, and taxes," Canada's privacy commissioner says on its identity theft factsheet.

Anyone affected will be provided with credit protection services at no cost, the revenue agency said.

The CRA shut down the public access portion of its website last week, for what it said were precautionary reasons while it implemented a fix to a potential weakness that had been identified. 

The website was reopened over the weekend, but the CRA alerted police that it had confirmed a breach on Friday.

"On April 11, 2014, I informed the Privacy Commissioner of Canada of the breach," CRA commissioner Andrew Treusch said. "The RCMP are investigating."

The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the internet to provide security and privacy.

The bug is affecting many global IT systems in both private- and public-sector organizations, and has the potential to expose private data.

Toronto software engineer Justin Bull noticed the vulnerability on the CRA's website ahead of the agency's decision to shut the network down, and Bull says there's a lot we still don't know about the details of this breach.

"Their lack of information on how the attacker obtained these SIN numbers and how they discovered this was the case, gives a wide area of speculation," Bull said Monday.

"Chances are, though, since they know 900 SINs were accessed, that the attackers leveraged Heartbleed to gain access to unauthorized section of the website​."

Stressing he has no personal knowledge of the situation, web security consultant Raymond Vankrimpen with Richter consultancy in Toronto says it's possible that the 900 affected people may just be those with the bad luck to have logged on before the website was shut down.

"In that six-hour window between when the bug was disclosed publicly and they shut down their servers … it could have been the 900 people who accessed the server in that window," he said in an interview.

It's also possible, however, that the CRA found unauthorized activity by correlating a lot of historical data of "normal" activity and cross-referencing that to find discrepancies, he says.

"They would be looking for certain behaviours," he said. "A normal person comes to the CRA to file taxes and does X, Y, Z … so they can look at their logs to make a profile, and when they see anomalies they may link that back to unauthorized activity."

"They're looking for anything out of the normal," Vankrimpen said. "I'm not sure how the CRA came up with 900 [but] if there were some nefarious hackers using it to steal info there could still be repercussions to come."

"We won't see the full fallout for a while," he said.