TORONTO – The RCMP asked the Canada Revenue Agency to delay telling the public that 900 social insurance numbers had been stolen from its website while it was compromised by the Heartbleed bug.
According to a statement, the RCMP said it was notified of the security breach on Friday but asked the CRA to hold off on telling the public until Monday so it could pursue investigative leads.
“This deferral permitted us to advance our investigation over the weekend, identify possible offender(s) and has helped mitigate further risk,” read the statement issued Tuesday morning.
The CRA announced Monday that roughly 900 SINs had been stolen from the site over a period of six hours.
Each person affected will receive a registered letter to inform them of the breach and free access to credit protection services. A dedicated 1-800 number will also be available to those affected to provide further information, including what steps to take to protect the integrity of their SIN.
The agency has not confirmed whether it was just users’ SINs that were accessed or if any additional personal information was accessed.
The CRA shutdown its electronic filing services April 9, a day after the Heartbleed vulnerability was made public.
Kellman Meghu, head of security engineering at Checkpoint Software Technologies, said Tuesday that Canadian’s information may have been put at risk from the CRA’s delay in taking its services offline.
“The CRA is dealing with many servers – it would take them time to validate all their systems, which means there was time for other people to discover it was open to Heartbleed as well.”
Some experts have also suggested that more information may be at risk – which could put those affected at risk of identity theft.