Personal data was stolen from the computers of the Canada Revenue Agency.
The CRA confirmed that nearly 1,000 social insurance numbers were compromised during a six-hour window of vulnerability caused by the Heartbleed Bug, despite the agency shutting down its public online services.
“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said in a statement this morning. “Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
“The agency will not be calling or emailing individuals to inform them that they have been impacted—we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes,” the fiscal department added.
Instead the CRA will be notifying via snail mail.