The Canadian Revenue Agency (CRA), which performs the same function for the Canadian government that the Internal Revenue Service does in the U.S., announced today that it has been bitten by the Heartbleed bug. The agency said that hackers removed approximately 900 social insurance numbers (SINs — equivalent to U.S. social security numbers) in a six-hour period before the CRA systems could be shut down. The attack occurred on April 8th.
The sort-of good news (such as it is) is that the CRA knows which accounts were affected and it is sending a registered letter to every person to inform them of the data theft. The agency has also set up a dedicated toll-free phone line to provide the affected people with additional information, “including what steps to take to protect the integrity of their SIN.”
And one other step the CRA is taking:
The Agency will not be calling or emailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.
The government will also provide people whose numbers were stolen with free credit protection services.
The CRA websites were put back into operation on Sunday.