Advertisement

Heartbleed SIN breach suspect ID'd by RCMP

CBC
The Heartbleed security glitch that led to the partial shutdown of Revenue Canada's website "exposed the vulnerability of the internet more than the deficiencies of any one dataholder," according to Canada's privacy commissioner.

RCMP have identified a "possible offender" after the Canada Revenue Agency saw 900 social insurance numbers stolen in a web security breach due to the Heartbleed bug.

The Mounties said in a statement Tuesday that they asked the CRA not to tell the public Friday about the Heartbleed breach so they could look into a "viable" path of investigation.

But the NDP wants to know more about the government's decision to shut down the CRA website and whether it could have done more to avoid the security breach in the first place.

The CRA spent days patching a hole in its security that allowed hackers to steal information without leaving a trace. The Heartbleed bug affected servers around the world.

"This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk" the RCMP said.

The RCMP would not provide further details about the suspect.

The CRA temporarily shut down some access to its website late Tuesday last week after warnings that a security flaw in website encryption software — the Heartbleed bug — could leave websites vulnerable to hackers.

The shutdown was extended to other government websites later in the week.

The CRA said Monday that it realized on Friday that 900 social insurance numbers had been stolen during a six-hour attack that exploited the Heartbleed vulnerability. It did not indicate when the hour attack had occurred.

The agency notified the privacy commissioner's office Friday and referred the matter to the RCMP.

Fears of a bug in the OpenSSL software used for encryption on two-thirds of the world's internet servers surfaced more than a week ago. The U.S. Department of Homeland Security issued a public warning on April 7. Public Safety Canada issued a notice about the vulnerability the next day, and by the end of the day, CRA had closed parts of its website.

The NDP says there are troubling gaps in what the government has said about the matter to date.

In a letter Tuesday, NDP MPs Charlie Angus and Murray Rankin called on Revenue Minister Kerry-Lynne Findlay to "reassure Canadians" by explaining:

Who notified the CRA of the Heartbleed bug.

When the CRA learned that the bug was in its system and whether precautionary checks were made when the world learned of the bug on April 7.

Why the CRA delayed shutting down web operations until Tuesday when news of Heartbleed was made public Monday.

The letter from NDP MPs also notes that on the day the CRA website was shut down, the agency's assistant commissioner and chief privacy officer, Susan Gardner-Barclay, was telling MPs on a House of Commons committee that the agency's security systems were "one of, if not the strongest security regimes" in any government department, while making no mention of Heartbleed.

Angus and Rankin want to know whether this means CRA didn't realize the potential for harm or whether Gardner-Barclay was in the dark about the bug.

The CRA restored public access to its site over the weekend and extended the tax filing deadline for Canadians to May 5.