Despite shutting down its system completely for most of last week after the Heartbleed bug was revealed, the Canada Revenue Agency (CRA) says that the ID numbers of around 900 people were stolen.
The national tax agency reopened its computer systems Sunday, April 13, after applying a patch for Heartbleed. But before that was accomplished, the breach allowed the unauthorized access to the 900 CRA accounts.
CRA Commissioner Andrew Treusch today released a statement regarding the unauthorized access to the tax system:
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."
More info by mail: Treusch said CRA will send a registered letter to the 900 Canadian taxpayers who lost their ID numbers to hackers. The agency also has established a dedicated 1-800 number (which will be in the letter) where they can get further information.
"The CRA will also provide those who have been affected with access to credit protection services at no cost," said Treusch. "And we will apply additional protections to their CRA accounts to prevent any unauthorized activity."
Online systems OK: CRA says its systems that came back online over the weekend are secure.
"Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday," Treusch noted in the statement.
"Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach."
Scam alert for all: Meanwhile, every Canadian taxpayers should be on alert for scams likely to emerge in the wake of the breach.
CRA notes that none of its employees will be calling or emailing individuals to inform them that they have been impacted. If you don't get a registered letter from national tax officials, your account information is fine.
So don't fall for any phishing schemes referencing Heartbleed. The attempts to get more tax ID numbers will no doubt be directed at all Canadian taxpayers in criminal hopes of exploiting the fear they might be among the 900 compromised accounts.
I also wouldn't be surprised to see crooks try to use the Canadian situation to their malicious advantage in the United States. That means taxpayers south of the 49th parallel also need to be on guard for Heartbleed tax scams.
You also might find these items of interest:
