900 SINs stolen from CRA
OTTAWA—The federal tax agency says the social insurance numbers of roughly 900 people were stolen from its systems, which were left vulnerable by the so-called Heartbleed bug.
The Canada Revenue Agency blocked public access to its online services for several days last week until it addressed the security risk, but said today there nonetheless was a data breach over a six-hour period.
“I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act,” CRA commissioner Andrew Treusch said in a statement.
“CRA online services are safe and secure,” he stressed. “The CRA responded aggressively to successfully protect our systems.
“We have augmented our monitoring and surveillance measures so that the security of the CRA site continues to meet the highest standards,” Treusch added.
Everyone affected will receive a registered letter and free access to credit protection services, the agency said.
The Heartbleed bug is caused by a flaw in OpenSSL software, which commonly is used on the Internet to provide security and privacy.
The bug is affecting many global IT systems in both private- and public-sector organizations, and has the potential to expose private data.
Service was restored yesterday to all publicly-accessible Government of Canada websites, as well the tax-filing systems E-file and Netfile.
The CRA has apologized to Canadians for the delay and inconvenience, but added it was necessary to ensure the agency’s online services were safe and secure.
It said it will not apply interest or penalties to individual taxpayers filing their 2013 tax returns after April 30 for a period equal to the length of last week’s service interruption.
That means 2013 tax returns filed by May 5 will not incur interest or penalties.