Canada Says Taxpayer Data Stolen With Heartbleed Breach

Canada’s revenue agency said hackers exploiting the Heartbleed security flaw have gained access to some taxpayer data.

About 900 social security numbers, which the government uses to identify citizens, were taken from the Ottawa-based agency’s computer systems, Canada Revenue Agency said in a statement, without saying who committed the breach. The agency said it’s analyzing other fragments of data, some that may relate to businesses, that were also removed.

Heartbleed may be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. The bug, which was discovered by researchers from Google Inc. and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption.

“I want to express regret to Canadians for this service interruption,” Andrew Treusch, commissioner of the agency, said in the statement. “In particular, I share the concern and dismay of those individuals whose privacy has been impacted by this malicious act.”

The agency, which temporarily closed its online tax services last week to investigate the security flaw, said it has implemented a “patch” for the bug and tested all its systems. It re-opened its online services yesterday.

The breach took place over a six-hour period, the agency said, without giving an exact date. The Canadian government on April 10 ordered the shutdown of all its websites that run unprotected OpenSSL software as a precautionary measure until the appropriate security can be put in place.

To contact the reporter on this story: Theophilos Argitis in Ottawa at targitis@bloomberg.net

To contact the editors responsible for this story: Paul Badertscher at pbadertscher@bloomberg.net Chris Fournier

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.