Heartbleed used to steal Canadian taxpayer data

One of the first cases of data theft through the OpenSSL Heartbleed bug has been acknowledged by Canada's national tax office.

While the Canadian Revenue Agency was quick to patch for Heartbleed when news of the vulnerability broke, an attacker managed to remove Canadian Social Insurance Numbers (SINs) of around 900 taxpayers from the agency, CRA commissioner Andrew Treusch said.

Further investigation by the CRA indicated some data relating to businesses may have been removed by attackers, according to Treusch.

How the CRA discovered the SINs were stolen was not revealed. Heartbleed allows attackers to siphon off data in the memory of servers and clients running vulnerable versions of the OpenSSL cryptographic library, without trace.

The CRA said it will inform taxpayers whose SINs were taken through registered mail as opposed to phone calls or emails, so as to ensure security of communications and to prevent phishing campaigns in the wake of the data theft.

Credit protection services for those affected will also be provided for free by the CRA.

Canada's privacy commissioner has been informed of the breach, and the CRA has called in the Royal Canadian Mounted Police to assist with the agency's investigations.

The Heartbleed bug is the result of a coding error in the popular OpenSSL cryptographic library. It was made public on April 8 this year, but has been in vulnerable versions of OpenSSL for the past two years.

Despite the lengthy period of the vulnerability's existence, the flaw does not appear to have been widely exploited. The bug affects billions of servers, clients and devices around the world.

UK website Mumsnet, which claims to have 1.5 million registered members, joined the the CRA today to reveal it too had been compromised by the Heartbleed bug.

Mumsnet founder Justine Roberts told the BBC attackers used her own username and password to post a message online. The hackers then reportedly told Mumsnet's admins they had used Heartbleed to obtain the credentials, and that the site's data was not safe.

She could not provide the number of affected users.