Skip to main content

The Globe and Mail

RCMP has suspect in Canada Revenue online theft

The Canada Revenue Agency website is seen on a computer screen displaying information about the Heartbleed security risk on April 9, 2014.


The RCMP has identified at least one suspect in its probe into the alleged theft of confidential information from the Canada Revenue Agency's website.

In a statement on Tuesday morning, the national police force said it asked the CRA to remain quiet for three days about the possible infraction in order to pursue its investigation.

"Late Friday afternoon, given that further access to data was no longer possible and that we had identified a viable investigative path, the RCMP asked CRA to delay advising the public of the breach until Monday morning," RCMP spokesperson, Corporal Lucy Shorey, said in the communiqué.

Story continues below advertisement

"This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk."

About 900 social insurance numbers were stolen from CRA computers, the revenue department said on Monday, following a shutdown of its public online services caused by the Heartbleed Internet bug. The CRA statement was one of the first disclosures by an organization that it had lost data to someone exploiting the vulnerability.

However, the government has also come under fire for its handling of the threat and the speed with which it has acted to contain the problem.

"There are many questions about the response and the timing of the response," NDP MP Charlie Angus said in an interview. "We see a pattern with this government, which is to protect the minister rather than protect the interests of Canadians."

The CRA won't say when the breach occurred: during the two years in which the bug went undetected, or during the 24-hour gap between the public revelation of Heartbleed's existence and the CRA's shutdown of its websites last week.

The CRA also declined to explain how it determined which SINs were hacked, since Heartbleed intrusions are hard to detect.

Internet security expert Mark Nunnikhoven said it appears the breach was recent and retraced through network monitoring from one of the federal government's agencies dealing with Internet security, such as Shared Services Canada or the Communications Security Establishment Canada.

Story continues below advertisement

While a Heartbleed breach would have left no traces of data leak on the logs of CRA servers, it would have been spotted by the network monitoring tools of other federal agencies that capture and analyze transiting data packets, he said.

"If you have multiple layers of security controls in place, you can catch it … that means someone upstream on the government's shared network saw it," Mr. Nunnikhoven, a former IT specialist in the federal government, said.

Report an error Licensing Options
About the Authors
Parliamentary reporter

Daniel Leblanc studied political science at the University of Ottawa and journalism at Carleton University. He became a full-time reporter in 1998, first at the Ottawa Citizen and then in the Ottawa bureau of The Globe and Mail. More

National reporter

Tu Thanh Ha is based in Toronto and writes frequently about judicial, political and security issues. He spent 12 years as a correspondent for the Globe and Mail in Montreal, reporting on Quebec politics, organized crime, terror suspects, space flights and native issues. More


The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

We’ve made some technical updates to our commenting software. If you are experiencing any issues posting comments, simply log out and log back in.

Discussion loading… ✨