Desktop – Leaderboard

Home » CRA commish addresses the Heartbleed bug

Posted: April 14, 2014

CRA commish addresses the Heartbleed bug

Letter to the Editor

After learning that the Canada Revenue Agency (CRA) systems were vulnerable to the Heartbleed bug, the CRA acted quickly to protect taxpayer information by removing public access to its online services on April 8.

Since then, the CRA worked around the clock to implement a “patch” for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services late yesterday.

Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

The CRA is one of many organizations that were vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.

Beginning today (April 14), the Agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN. The Agency will not be calling or emailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.

The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity.

On April 11, I informed the Privacy Commissioner of Canada of the breach. The RCMP is investigating.

As the Commissioner of the CRA, I want to express regret to Canadians for this service interruption. In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.

CRA online services are safe and secure. The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.

I know that all employees of the Canada Revenue Agency join me in appreciation for the cooperation and patience of the public, businesses and representatives as we resolved this situation.

Andrew Treusch,
 Commissioner,

Canada Revenue Agency

Article Share
Author:

More Stories

City signs contract to bring in pilot e-Scooter service

April 24, 2024

City signs contract to bring in pilot e-Scooter service
Firefighters respond to two spot fires next to Highway 3

April 24, 2024

Firefighters respond to two spot fires next to Highway 3
Emergency repair to impact water for two days

April 24, 2024

Emergency repair to impact water for two days
Clue livens up stage in colourful new production

April 24, 2024

Clue livens up stage in colourful new production
Policing and public safety initiatives moving forward

April 24, 2024

Policing and public safety initiatives moving forward
Property taxes set to increase in Kimberley

April 24, 2024

Property taxes set to increase in Kimberley
ERA looking for restoration volunteers

April 24, 2024

ERA looking for restoration volunteers
Dumpster fire damages hospital auxiliary building

April 24, 2024

Dumpster fire damages hospital auxiliary building