Canada Revenue Agency (CRA) is the latest victim to fall to the Open SSL #Heartbleed vulnerability, where hackers managed to steal social security numbers of hundreds of Canadian taxpayers.

Canada Revenue Agency confirms, hundreds of social security number stolen by hackers using Heratbleed Vulnerability

After the reports on the OpenSSL #heartbeed vulnerability worldwide, it became a known fact that many of the world servers were vulnerable to attacks using this exploit.  Seemingly the CRA which stores information of thousands of Canadian tax payers on  that their system was vulnerable too. The CRA acted quickly to protect taxpayer information by removing public access to its online services on April 8, 2014. Since then CRA worked vigorously to implement the patch and test all the systems form maximum security and is trying to relaunched the service.

But the time gap between the patching and the reports of the bug in the servers due to #heartbleed was enough for the hackers.  Because CRA was later informed by the Government of Canada’s lead security agencies about the breach of taxpayers data which impacted more than 900 taxpayers.  The hackers managed to steal the social security numbers of Canadian Tax payers  who managed to exploit the #heartbleed vulnerability during the pre patch and the post patch period of six hours.  It is strange that the hackers knew exactly how much time they had to commit their cyber crime.

A statement released by the CRA says, “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”

“Beginning today, the Agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN.”

CRA also said that they will not be notifying the impacted taxpayers through calls or emails, because they do not want other cybercriminals to take advantage of this information by sending phishing emails to the Canadian taxpayers.

“The Agency will not be calling or emailing individuals to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.”

CRA has announced that the afected taxpayers will be provided the access to credit protection services at no cost and it will also implement additional protection layers to their CRA accounts to prevent any unauthorized activity.

Andrew Treusch Commissioner of the CRA siad that they have already notified the Privacy Commissioner of Canada of the breach and a investigation is already underway by the RCMP.

As of now the CRA online services are now safe and secure to use with all the vulnerabilities due to #heartbleed fixed.