Skip to main content

Canadian social security numbers stolen using heartbleed bug

The Heartbleed saga took a major turn last night, as it was revealed that at least two websites have suffered breaches as a result of the vulnerability.

According to Canada’s CBC news, hundreds of Canadians had their social insurance numbers stolen from the revenue website due to the OpenSSL flaw, but waited until Monday to make it public. “The Canada Revenue Agency contacted our office last Friday afternoon to notify us about the attack and of the measures it was taking to mitigate risks and notify affected individuals,” said Valerie Lawton, a spokesperson for the Privacy Commissioner's Office in a written statement Monday afternoon.

The revenue agency confirmed that approximately 900 social insurance numbers were breached, and it is currently analysing other fragments of data.

Keith Bird, Check Point’s UK managing director, said: “Hackers were obviously alert to the vulnerability, and quick to exploit it. The agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent.

“I believe we’ll see more announcements like this over the coming days. So it’s really important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There’s a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords.”

Following Bird’s comment, it was reported by the Telegraph that data of all 1.5m members of Mumsnet may have been compromised. The parenting website suspected that passwords and personal messages may have been compromised before it installed the patch last week.

In an email to members, it said: “On Friday 11th April, it became apparent that what is widely known as the Heartbleed bug had been used to access data from Mumsnet users' accounts. We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed.”

Paul Martini, CEO at iboss Network Security, said: “Heartbleed could be seen as a convenient scapegoat for data loss that occurred a different way. Its prevalence could make it an attractive finger pointing exercise to potentially reduce data loss liability compared to say some other negligence.

“There isn’t necessarily a way to trace a historical Heartbleed hack unless every IP and amount of transferred data was being recorded, which could be used to indicate a hack in the past. However, the likelihood of having this kind of data stored is small. In addition, the hack to steal the key is not necessarily correlated to the data theft. So, even having this kind of historical data does not provide much insight.

“Unfortunately, there’s isn’t one thing in particular that companies should look for if they are concerned about a historical hack. Instead, companies should replace their SSL certificates with new ones as soon as possible.”

Dan Raywood is the editor of IT Security Guru