Last updated: April 09 2014
CRA reveals that Social Insurance Number data for 900 taxpayers was accessed through its systems due to the Heartbleed bug.
CRA will be notifying affected individuals by registered letter in the coming days, and a special toll-free number has been set up for those affected in order to assist them with what to do about the information breach. An analysis is still underway to determine if other information was breached, including for registered businesses.
The Heartbleed bug is a coding error in the software that makes Internet transmissions secure. This software is widely used by many websites across the Internet and was used by such popular sites as Yahoo! Mail. The issue with a specific version of the software, which was released in December 2011, is that it is possible for a hacker to see some of the encrypted information. The vulnerability was only discovered recently by security researchers.
While we now know through CRA that some taxpayer information has been compromised, the bigger issue is that logon data may have been compromised. If logon information has been compromised, this would allow the hacker to perform any function that the user could have performed by logging into the CRA site using the stolen username and password.
CRA has stated that they have patched their systems to correct the vulnerability. However, because this same software is in use by a significant number of online websites, it is possible that passwords have been compromised elsewhere as well. Some pundits are recommending that all Internet passwords be changed, however, you need to be aware that, if you change your password on a site that is still using the old version of the software, your new password may be compromised as well. Be sure that if you have a password on a compromised site that you change it after the site is once again secure. In addition, credit card information may have been compromised if you have used your card for online purchases on a compromised site. Be sure to check your credit card statements carefully for fraudulent use.
Click here for CRA's statement by the Commissioner regarding the Heartbleed bug.