Printed from

Heartbleed facilitates identity theft from Canada Revenue Agency

updated 02:58 pm EDT, Mon April 14, 2014

900 taxpayers lose social insurance numbers to OpenSSL flaw

Canada's tax administration has reported that around 900 people have had personal data stolen, with the miscreants making off with the data using the Heartbleed bug. Taken by the hackers are social insurance numbers (similar to Social Security numbers in the US), and potentially other data. The breach is the first directly pointing at the Heartbleed bug as the main vector of attack.

The Heartbleed bug has existed since March 2013, and puts at risk not only the contents of encrypted online communications, but also the SSL keys used in the transmission. Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers.

Heartbleed allows attackers to reveal credit card details in a transaction over HTTPS through exploitation of RAM space. The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. Many major services are either immune to the attack, or have since patched any flaw -- but smaller services, and some hardware, remain susceptible.

Security firm Cybereason's chief executive Lior Div said of the attack that "we are in a race. People who hadn't thought about using this type of attack will use it now." Div believes that the simplicity of the attack will allow "unsophisticated hackers" to utilize publicly-accessible tools.

Regarding the breach, the Canada Revenue Agency claimed that "we are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed." The service was shut down on Wednesday, in the middle of tax season. The CRA claims that no other attacks were made before or after the Heartbleed attack.

By Electronista Staff
Post tools:




  1. dxtr

    Fresh-Faced Recruit

    Joined: 10-30-08

    How could they know this if Haertbleed leaves no trace?
    What fragments could they find or hope to "analyze" if, wait for it, ... "Heartbleed leaves no trace"? Does this mean something different in Canada?

  1. shawnde

    Fresh-Faced Recruit

    Joined: 04-01-08

    No, it means that the CRA simply doesn't know what it's doing .... which is par for the course .... they're a clueless government entity just like the rest. I'll bet that the server was running on some old Pentium Box under a clerk's desk :-)

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...



Most Commented


Popular News