Social Insurance Numbers compromised by hackers

The Canada Revenue Agency says it is the victim of "a malicious breach of taxpayer data" and that 900 Social Insurance Numbers were compromised

It turns out hackers have penetrated the security of the Canada Revenue Agency, exploiting the Heartbleed bug that has exposed two-thirds of all of the web's internet sites.

The Commissioner of the Canada Revenue Agency, Andrew Treusch, says the Social Insurance Numbers of about 900 taxpayers were removed from the CRA systems.  

Experts are now analyzing other fragments of data including some that "may relate to businesses, that were also removed."

All of this occured over a span of 6 hours.  

The website was taken down on April 8th.  The Commissioner informed the federal Privacy Commissioner of the breach on April 11th, last Friday. 

It is not clear why it took until Monday morning to tell the public.

Commissioner Treusch says that starting Monday, the CRA is putting measures in place to support and protect those affected by the breach.  

A news release from the CRA says there is a dedicated 1-800 number that has been set up to provide further information, including what steps you can take to protect the integrity of your SIN.  However, the release does not include the phone number.

If you get e-mail or a phone call about the attack that claims to be from the CRA, ignore it; that is most likely a scam. 

If you are affected, you'll receive a registered letter by regular mail.  

Also, if your number has been stolen, the CRA will provide you with credit protection services at no cost to you.

Leave a comment:

showing all comments · Subscribe to comments
Comment Like
  • 17
  1. don was right posted on 04/14/2014 09:09 AM
    They should have used Windows.
    1. Karl Burgin posted on 04/14/2014 10:06 AM
      @don was right More specifically Windows ME- no one even bothers trying to hack/infect those OSes. lol
  2. Peter posted on 04/14/2014 09:18 AM

    A first reaction to this story may be:
    - is it really just 900 or is this the tip of the iceberg?

    Many crises seem to start out by breaking the news gently, but in the end the full damages are a thousand times declared in the original story.

    If 900 taxpayers have been affected, then why not 900,000? Where's the other half of the story? Why not 90,000 taxpayers being affected? Wasn't the attack computer powerful enough?

    Now I am in suspense.

  3. JamesN posted on 04/14/2014 09:26 AM
    Interesting that the story said removed. Why would hackers remove them (deleted?) instead of just downloading.
    1. Peter posted on 04/14/2014 09:55 AM
      @JamesN .
      There could be service that the hackers were offering to taxpayers in bad standing. "We will remove your records for a fee". I know a lot of people that would consider that offer.

      So maybe that "900" amount, is the number of customers that paid the hacker to remove their records.

    2. Karl Burgin posted on 04/14/2014 10:11 AM
      @Peter Identity theft....with those SINs, you can sign up for anything. By the time the authorities realized what they've been used for and what purposes, it would already be too late- the SINs would have served their purpose.
  4. Angry Bill posted on 04/14/2014 10:01 AM
    Due to the nature of the security flaw, it is virtually impossible to tell if anything were accessed. The only hard numbers the government has is 900, because those records were deleted.

    But if any of that data were just viewed or downloaded with no editing or deleting, CRA would have zero clue that the information was accessed.

    Bottom line, assume your information is compromised.
    1. Peter posted on 04/14/2014 10:05 AM
      @Angry Bill .
      Yes I agree with you 100% Angry Bill.
      The hackers may have downloaded millions, and there is an extreme crisis here. As this story "900" number just broke, I would be prepared for lots more bad news.
    2. Karl Burgin posted on 04/14/2014 10:18 AM
      @Angry Bill The fact is, with those SINs, you could easily get thousands (if not millions) worth of VISAs, Mastercard, Line of credit etc...all without ever having to sign up in person. Then all you gotta do is virtually empty those accounts.
      By the time the feds figure out what's happened, it's gonna be too late, and the lenders are going to be ones holding the bag- or the insurance.
      Ah crap, I can see insurance rates going up over this :(
  5. Bettie posted on 04/14/2014 10:03 AM
    Apparently the CRA has inferior security to that of my bank but the equivalent of that of AOL, Yahoo and Flickr. That's disturbing.
  6. john posted on 04/14/2014 10:39 AM
    i have told people and my friends for years to trust the net like u trust the liberal government as in never . but thay would not listen and see what happens . i was right . i would never do anything money related on the net unless i have a prepaid card so thay only take a amount out and nothing more .
  7. john posted on 04/14/2014 11:20 AM
    i will take Linux over windows any day of the year .
    1. Peter posted on 04/14/2014 01:00 PM
      @john .
      I agree with you John.

      I wonder if the Fed's use UNIX or the OS of the mainframe type configurations they have.
      But I guess the servers would still be Windows? I don't know.

      An insider may have contributed to the security breach.
    2. Karl Burgin posted on 04/14/2014 04:14 PM
      @Peter Unfortunately Linux is less secure- because it's open source. That's why not many businesses/corporations use it.
    3. john posted on 04/15/2014 03:30 PM
      @Karl Burgin windows is just as bad in that case . i know people who can mess with windows just like u can with Linux . with open source u can at lest ( if u have program skills . ) make a program or find a way to patch it .
  8. don was right posted on 04/14/2014 01:22 PM
    It was the open source SSL component of Linux that was compromised. NOT anything made by Microsoft.
    1. Karl Burgin posted on 04/14/2014 04:18 PM
      @don was right I have to second it. Open SSL has nothing to do with Windows.
      Remember, this protocol is always pinging to make sure the server you would like to login to is present. If it is, the requested server has to respond with a ping in kind.
      The exploit here however is that the initial ping can grab whatever is currently is stored in the server's RAM. And there's no way (that I know of at least) as to how to keep track of what resides in there- as information is either wiped/changing or memory is recycled constantly.
showing all comments

Sign Up For Breaking News Alerts

Becoming a member only takes 60 seconds! Members get access to exclusive information and products that non-members do not, including concert ticket presales, trips, advance notice on upcoming entertainment events, movie screening passes, music giveaways and more!

Login with Facebook

Top Stories

Today's Poll

Toronto has one team in the playoffs. The Raptors begin their quest for NBA glory. How far do you think they'll go?

Voting is restricted to one vote every 24 hour(s) VoteResults


Stay connected 24/7! Receive breaking news and programming alerts right to your inbox. CLICK HERE to sign-up.