«
»

Heartbleed Bug Responsible For Stolen Personal Data: CRA

The Canada Revenue Agency (CRA) I think has some explaining to do. You might recall that they had to shut down their website due to the heartbleed bug (followed later last week by other Canadian Government departments). Now it seems that data was stolen. Here’s what The Globe And Mail had to say:

The RCMP is now investigating the breach, the CRA said in a statement released Monday morning following a six-day closing of its Web filing services.

Each person whose SIN was stolen will be notified by registered mail, the CRA said.

The agency won’t say when the breach occurred – whether it was during the two years during which the bug went undetected, or during the 24-hour gap between the public revelation of Heartbleed’s existence and the CRA’s shutdown of its websites last week.

Nor would the CRA explain how it determined what SINs were hacked, since Heartbleed intrusions are hard to detect.

“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA communiqué said. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

So, this is why they have some explaining to do. If we assume that anyone who exploits heartbleed would leave no trace, does that mean that the information was already used by evil doers and that’s how the CRA found out? Or do the CRA have other means for detecting intrusions. I would like to think that the latter is true. But seeing as heartbleed has been around for 2 years, the former is true as well. This is why we need to find out the details about this data breach in a completely transparent manner. And we need to know find out sooner rather than later.

This entry was posted on April 14, 2014 at 6:18 pm and is filed under Commentary with tags , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Heartbleed Bug Responsible For Stolen Personal Data: CRA”

  1. Teenager Busted For CRA Heartbleed Hack | The IT Nerd Says:
    April 16, 2014 at 9:36 pm

    […] Police for the hack using the heartbleed bug that resulted in 900 social insurance numbers being stolen from the Canada Revenue Agency. Here’s what The Globe And Mail […]

    Reply
  2. CRA Website Gets Shut Down Over The Weekend To Patch A Serious Flaw | The IT Nerd Says:
    March 13, 2017 at 8:28 am

    […] This isn’t the first time that the CRA has had to take down their site because of a security issue. They got hit by someone who pwned them via an Open SSL bug known as Heartbleed a few years back. That led to a 19 year old being put in the clink because of it. But not before other Canadian Government websites had to be taken down to fix the issue and personal data was leaked. […]

    Reply

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading