Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug
After learning that the Canada Revenue Agency (CRA) systems were vulnerable to the Heartbleed bug, the CRA acted quickly to protect taxpayer information by removing public access to its online services on April 8, 2014.
Since then, CRA worked around the clock to implement a “patch” for the bug, vigorously test all systems to ensure they were safe and secure, and re-launch our online services late yesterday.
Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.
The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.
Beginning today, the Agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN. The Agency will not be calling or emailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.
The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity.
On April 11, 2014, I informed the Privacy Commissioner of Canada of the breach. The RCMP are investigating.
As the Commissioner of the CRA, I want to express regret to Canadians for this service interruption. In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.
CRA online services are safe and secure. The CRA responded aggressively to successfully protect our systems. We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.
I know that all employees of the Canada Revenue Agency join me in appreciation for the cooperation and patience of the public, businesses and representatives as we resolved this situation.
the CRA services have been restored to full service and the deadline to file tax returns without penalty has been extended until May 5, 2014.