Heartbleed Causes Breach in CanadaRevenue Agency Says Social Insurance Numbers Compromised
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," Commissioner Andrew Treusch says in a statement issued April 14.
"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," Treusch says. "Thanks to the dedicated support of Shared Services Canada and our security partners, the agency was able to contain the infiltration. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach."
The CRA will notify impacted individuals about the breach and offer them free credit protection services. The agency did not immediately respond to a request for additional information.
Canada Halted Online Tax Returns
The CRA on April 9 shut down public access to its online services, halting online tax returns until the situation had been remedied. On April 13, the CRA restored online services and customers are now able to file their tax returns.
"After learning ... about the Internet security vulnerability named the Heartbleed Bug that is affecting systems around the world, the CRA acted quickly, as a preventive measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold," the CRA says in a statement posted to its website.
Minister of National Revenue Kerry-Lynne D. Findlay had said individual taxpayers will not be penalized for the service interruption. "Interest and penalties won't be applied to individuals filing 2013 tax returns after April 30 [filing deadline] for [a] period equal to length of service disruption," she says in a Twitter post.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).