Skip to main content
Access every election story that matters
Enjoy unlimited digital access
$1.99
per week for 24 weeks
Access every election story that matters
Enjoy unlimited digital access
$1.99
per week
for 24 weeks
// //

It's called the Heartbleed bug and it's as awful as it sounds – at least when it comes to the enormous risks posed to supposedly safe and encrypted data.

The problem is so serious that it prompted the Canada Revenue Agency to temporarily shut down online services for taxpayers at the height of tax-filing season to ensure "the private information of Canadians remains safe and secure."

Coming after a string of cyberassaults on major U.S. retailers, this latest global security threat is bound to make consumers ever more skeptical about the safety of the sensitive information they have been routinely entrusting to governments, banks, insurers, retailers, hospitals and all manner of other service providers. And they should be.

Story continues below advertisement

The plain truth is that many organizations spend far more on touting their wares and services online and making their web sites as user friendly as possible than they do on safeguarding information. The Heartbleed bug underscores the dangers that lurk in the underbrush, ready to ambush even the most sophisticated of Internet players. And it ought to prompt much more serious investment in strong security measures and the capacity to quickly detect flaws and squelch breaches.

Unlike the malware attack that resulted in the stunning theft from Target Corp. of about 40 million payment card numbers and some 70 million customer records, the Heartbleed bug was not concocted by some clever teenage hacker for criminal clients. It's a critical software programming glitch in a data encription standard called OpenSSL, one that has existed for the past two years. OpenSSL is widely used to safeguard traffic between web users and a vast number of servers storing data for a majority of web sites.

These include sites operated by the likes of Google, Facebook, Amazon and Yahoo. The first three fixed the glitch before it became public this week, and Yahoo is partway there.

The flaw leaves OpenSSL open, alright… to hackers. They can intercept reams of data, really everything stored in a computer's memory. This includes all manner of sensitive personal and corporate information, ranging from passwords and credit card numbers to emails and confidential documents.

Codenomicon, the Finnish cybersecurity company that (along with a Google Security specialist) uncovered the gaping security hole, attacked its own defences as a test. Without leaving a trace, its experts managed to steal secret encryption keys, user names, passwords, emails, instant messages and critical business documents and communication. The keys are the big prize in the cereal box, because they make the encrypted data readable.

Although Internet companies are rushing to close the security breach, the extent of the potential damage is so vast that Heartbleed has triggered earthquake tremors across the digital universe. It has also prompted a wave of "I-told-you-sos" from security-conscious Cassandras, who have long warned about such threats – not least RCMP commissioner Bob Paulson, who wrote to Public Safety Minister Steven Blaney that "this growing threat significantly impacts the economic prosperity of our country, as well as individual Canadians."

Governments, organizations and businesses may not have grasped the need to devote more resources to protecting information. According to research firm IDC Retail Insights, retailers are expected to spend $720.3-million (U.S.) on cybersecurity in 2014 – a figure dwarfed by their total tech spending for 2014, estimated at $36.34-billion.They may be hoping that the rising frequency and size of such attacks might be mitigated by the possibility that everyone will be affected at once. Too bad the costs of cybercrime are not being equally distributed. While the CRA closed its site, its equivalent U.S. agency, the Internal Revenue Service, did not. And Target faces heavy lawsuits over its security breaches, which, given a furiously competitive U.S. retail landscape, must have J.C. Penney and Sears breathing copious sighs of relief.

Story continues below advertisement

Sooner or later, a mega-hack is going to sink a business, or seriously undermine a government. Despite the high costs, organizations increasingly can't afford to take the risk of being the victim.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies