updated 02:58 pm EDT, Mon April 14, 2014
900 taxpayers lose social insurance numbers to OpenSSL flaw
Canada's tax administration has reported that around 900 people have had personal data stolen, with the miscreants making off with the data using the Heartbleed bug. Taken by the hackers are social insurance numbers (similar to Social Security numbers in the US), and potentially other data. The breach is the first directly pointing at the Heartbleed bug as the main vector of attack.
The Heartbleed bug has existed since March 2013, and puts at risk not only the contents of encrypted online communications, but also the SSL keys used in the transmission. Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers.
Heartbleed allows attackers to reveal credit card details in a transaction over HTTPS through exploitation of RAM space. The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. Many major services are either immune to the attack, or have since patched any flaw -- but smaller services, and some hardware, remain susceptible.
Security firm Cybereason's chief executive Lior Div said of the attack that "we are in a race. People who hadn't thought about using this type of attack will use it now." Div believes that the simplicity of the attack will allow "unsophisticated hackers" to utilize publicly-accessible tools.
Regarding the breach, the Canada Revenue Agency claimed that "we are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed." The service was shut down on Wednesday, in the middle of tax season. The CRA claims that no other attacks were made before or after the Heartbleed attack.