The Canada Revenue Agency headquarters in Ottawa is shown on Nov. 4, 2011.SEAN KILPATRICK/The Canadian Press
The hundreds of Canadians whose social insurance numbers were stolen from the Canada Revenue Agency in a Heartbleed breach likely won't find out they were hit for several days.
The CRA announced Monday, following a temporary shutdown of its public online services caused by the Heartbleed Internet bug, that about 900 social insurance numbers were stolen from its computers.
(Read The Globe's explainer of how Heartbleed works and what passwords might be most at risk.)
Each person whose SIN was stolen will be notified by registered mail, the CRA said. Because of security concerns, it said in a communiqué that it "will not be calling or e-mailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes."
The numbers "were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the agency said. It added it is painstakingly analyzing other fragments of data that were removed, "some that may relate to businesses."
Social insurance numbers can help anyone trying to steal a person's identity, said John Russo, chief privacy officer at credit bureau Equifax Canada. The combination of a name, date of birth and SIN can let someone open a bank account and apply for credit or a car lease, he said.
The CRA's revelation is one of the first disclosures by an organization that it had lost data due to someone exploiting the Heartbleed vulnerability.
"There's probably going to be more organizations that are going to come forward to confirm there were breaches," Internet security expert Mark Nunnikhoven said Tuesday.
When Codenomicon, the Finnish security firm that co-discovered the security flaw, first announced the problem, it noted that anyone exploiting the bug leaves no traces of anything abnormal happening, making breaches very hard to detect.
Accountants and tax professionals say it is a relief that the breach in security appears to be so limited.
Robin Taub, an accountant and owner of Robin Taub Financial Consulting, said the number of stolen SINs is small "relative to the number of taxpayers in Canada," although she added that "if you are one of those 900, it is not good." And since those affected are being notified by mail, the sense of uncertainty over who has been hit will linger for several days.
But it makes sense for the CRA to use mail to contact the 900, said Wayne Bewick, an accountant with Trowbridge Professional Corp. in Toronto. "There is a lot of spam that comes out from people purporting to be the CRA," he said, so the agency needs to use the most secure means of notifying people.
Mr. Bewick said is "a bit comforting" that only 900 accounts were affected, because "there was a concern that it could have been everyone." It is still bad news, but "not as bad as some people thought it might be."
The office of Privacy Commissioner Chantal Bernier was informed of the problem Friday, though the breach wasn't made public until Monday morning. The RCMP is investigating.
Treasury Board President Tony Clement said in an interview that no other federal government departments were compromised by the Heartbleed bug. "We did a thorough check," he said. "And it's all been patched now, so we are now over the hump on this particular attack."
The Department of Immigration rejected reports on Twitter that it had been hit by Heartbleed, a spokeswoman for Immigration Minister Chris Alexander said.
The CRA said it will give free credit protection services to those affected by the breach, and apply extra protection to their CRA accounts. Equifax's Mr. Russo said it is also possible to apply for a new SIN number, although it is a lengthy process.
Still, accountants say they have heard very little concern expressed by clients about the Heartbleed bug and its impact, apparently a reflection of the frequency of reports of data breaches from all kinds of institutions, including retailers and computer-game makers.
"We haven't heard from our clients at all," said Cynthia Kett, an accountant at Stewart & Kett Financial Advisors Inc. "I think they have come to accept the fact that if their social insurance numbers and everything else is floating out there, that somehow, somewhere people are going to get it, if they really want to."
Mark Goodfield, a tax accountant and managing partner with Cunningham LLP in Toronto said he has had surprisingly little feedback from clients. "I think people are used to these sort of scares, and unless they see concrete evidence that they were affected, they wait and see."
The Heartbleed bug came to light about a week ago, and and the CRA shut down its online services last Tuesday evening. They re-opened over the weekend, and the agency said it would extend the tax filing deadline from April 30 tax to May 5.
But accountants who have been working full blast through tax season say they are going to try to finish up their work by April 30 anyway, because members of their staff have been promised time off at the beginning of May. "We are still just going to gun for April 30 to get everything done," Mr. Bewick said.
With a file from reporter Steven Chase in Ottawa.
Tu Thanh Ha