The Canada Revenue Agency says 900 Canadians have had their social insurance numbers stolen from its website because of the Heartbleed security bug.
The agency said early Monday it became aware of the breach while repairing the bug, and that the theft happened over a six-hour period — although the agency didn't specify what six-hour period is in question, and isn't offering further explanation beyond a statement posted on its website.
"Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."
The agency says those affected will be contacted via registered letters, and that any attempts to contact a taxpayer via email or telephone are fraudulent.
Anyone affected will be provided with credit protection services at no cost, the revenue agency said.
The CRA shut down the public access portion of its website last week, for what it said were precautionary reasons while it implemented a fix to a potential weakness that had been identified.
The website was reopened over the weekend, but the CRA alerted police that it had confirmed a breach on Friday.
"On April 11, 2014, I informed the Privacy Commissioner of Canada of the breach," CRA commissioner Andrew Treusch said. "The RCMP are investigating."
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the internet to provide security and privacy.
The bug is affecting many global IT systems in both private- and public-sector organizations, and has the potential to expose private data.
Stressing he has no personal knowledge of the situation, web security consultant Raymond Vankrimpen with the firm Richter in Toronto says it's possible that the 900 affected people may just be those with the bad luck to have logged on before the website was shut down.
"In that six-hour window between when the bug was disclosed publicly and they shut down their servers … it could have been the 900 people who accessed the server in that window," he said in an interview.
It's also possible, however, that the CRA found unauthorized activity by correlating a lot of historical data of "normal" activity and cross-referencing that to find discrepancies, he says.
"They would be looking for certain behaviours," he said. "A normal person comes to the CRA to file taxes and does X,Y,Z … so they can look at their logs to make a profile, and when they see anomalies they may link that back to unauthorized activity."
"They're looking for anything out of the normal," Vankrimpen said.
Anda sedang membaca artikel tentang
Heartbleed bug: 900 SINs stolen from Revenue Canada
Dengan url
http://belajarbisnismen.blogspot.com/2014/04/heartbleed-bug-900-sins-stolen-from.html
Anda boleh menyebar luaskannya atau mengcopy paste-nya
Heartbleed bug: 900 SINs stolen from Revenue Canada
namun jangan lupa untuk meletakkan link
Heartbleed bug: 900 SINs stolen from Revenue Canada
sebagai sumbernya
0 komentar:
Posting Komentar