The Heartbleed continues.
The Canada Revenue Agency announced early Monday that approximately 900 Canadians have had their social insurance numbers (SINs) compromised from its website because of the heartbleed security bug. The tax collection agency said that it discovered the personal data theft while repairing the breach.
Individuals that were personally affected by Heartbleed will be contacted through registered letters which will have a dedicated 1-800 number. If someone is contacted by email or telephone then it would be under a fraudulent basis. Also, anyone who is affected by the bug will be given credit protection services for free.
“Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA said in a statement. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
The agency is recommending Canadians to change their username and password that they use to access the online services. All other websites are encouraging their users to revise their user IDs and passwords, too.
“We apologize for the delay and inconvenience it has caused to Canadians,” CRA Commissioner Andrew Treusch said in the statement. “That said, the delay was necessary. We could not allow these systems back online until we were fully confident they were safe and secure for Canadian taxpayers.”
Canadians who have yet to complete their taxes will be provided with an extension date that is equal to the number of days the website was down. This means taxpayers will have until May 5 to have their tax returns submitted. In addition, interest and penalties would not be applied for the individuals that file their taxes after the Apr. 30 deadline until May 5.
The Heartbleed bug originated from a defect in OpenSSL software, a program that is commonly utilized on the web for privacy and security. Researchers say that the flaw has gone unnoticed for two years and any hacker can take advantage of it without leaving a trace. Most concur that it is pretty difficult to discover if someone had already hacked a computer server.
The bug has hit the international stage as numerous public and private Information Technology organizations are working to correct the mistake.