OTTAWA (Reuters) – Canada’s tax-collection agency reported on Monday that the private information of some 900 people had been stolen from its computer systems as a result of vulnerabilities caused by the ‘Heartbleed’ bug.
The breach allowed someone to extract social insurance numbers, which are used for employment and gaining access to government benefits, and possibly some other data, the Canada Revenue Agency said.
“Regrettably, the CRA has been notified by the government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said in a statement.
“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” it said.
Police are investigating and the country’s privacy commissioner has been informed, it said.
Right in the heart of tax-filing season, the CRA shut down access to its online services last Wednesday because of the bug, which is found in widely used Web encryption technology and is one of the most serious security flaws uncovered in recent years.
(Reporting by Louise Egan; Editing by Jeffrey Hodgson and James Dalgleish)