Watch video above: CRA says 900 social insurance numbers stolen from website in Heartbleed breach. Mark Carcasole reports.
TORONTO – Many Canadians are feeling the direct consequences of the Heartbleed security vulnerability discovered last week as they wait to find out whether they were one of the 900 users to have their social insurance numbers stolen from the Canadian Revenue Agency’s website.
The CRA revealed Monday that roughly 900 social insurance numbers stolen after the federal agency’s website was crippled by the Heartbleed bug. But the agency won’t say whether any other personal information was stolen – that could make a big difference in the amount of damage fraudsters can do.
“CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said in a statement.
The agency added that those affected by the security breach will be notified with a registered letter and will have free access to credit protection services.
But the news has ignited serious concerns surrounding identity theft: A SIN is crucial to your identity and credit score.
WATCH: 900 SINs stolen due to Heartbleed bug
“Anybody with that number and a few other details about you could start to generate some dangerous fraud,” said Kellman Meghu, head of security engineering at Checkpoint Software Technologies.
“On its own it’s not much but it’s a very important piece of a larger puzzle [someone malicious could be] trying to build.”
A social insurance number is a nine-digit number the government uses to track your income and taxes owed. You need a SIN to work in Canada or to receive any sort of government benefit.
According to Meghu, if someone had your SIN and personal details like your name, address, or date of birth, they could open credit card accounts in your name, apply for bank loans and even commit full-blown identity theft by taking over your existing accounts.
“Someone could even open credit outside of Canada,” he said.
But just how much data was stolen from the CRA website remains unknown.
The agency has not confirmed whether it was just users’ SINs that were accessed or if any additional personal information was accessed.
Identity theft expert Graham McWaters suspects that more information may have been leaked than the CRA is letting on, because it is unlikely that personal details such as a users name and basic contact information were stored separately from their SINs in the CRA database.
“My gut tells me that it’s worse than that because I find it odd that the numbers would be segregated on their database,” he said
Those affected by the breach will receive free access to credit protection services which help keep track of malicious credit activity by alerting the user if there is any suspicious activity under their name.
“Some companies offer up no credit monitoring at all, so what the government is doing here is the right thing,” said McWaters, who added credit monitoring should be offered for the long-term, as someone could hold on to your credit information and use it later.
“I know people who had their credit cards stolen and 18 months later someone tried to use it – so it could go on a long time.”
But McWaters also said those affected should take matters into their own hands and keep an active watch on their financial accounts, including their credit score, which can be damaged if someone racks up credit on a fraudulent account.
“You have to monitor and be vigilant and take care of your personal and credit information right away.”
McWaters notes one Canadian couple he’s heard of, had no idea they were being victimized.
“They woke up one day, their house was in somebody else’s name, there was a mortgage on it and they were divorced. Imagine that,” he said.
Breach could have been much worse
Despite the concerns, Meghu said that the number of affected people is quite low considering the risk the security flaw posed to websites.
“I thought 900 wasn’t too bad considering the risk Heartbleed posed,” he said. “And it’s not a knock to the CRA, this is damaging everywhere. But I’ll be honest – if it’s just 900 I think we got off easy.”
Similarly, security expert John Zabiuk told The Canadian Press Monday that he expects the fallout from Heartbleed to go well beyond the 900 stolen SINs.
- With files from Global Toronto’s Mark Carcasole
© Shaw Media, 2014