Heartbleed bug left Public Safety officials scrambling, emails show

Newly released documents show senior officials in the federal Public Safety Department were taken by surprise by the so-called Heartbleed computer bug.

Vulnerability was disclosed April 7, but Revenue Canada did not shut e-file system until next night

On April 14, the Canada Revenue Agency confirmed that 900 social insurance numbers had been stolen from its website as a result of the Heartbleed bug.

Newly released documents show senior officials in the federal Public Safety Department were taken by surprise by the so-called Heartbleed computer bug.

E-mails released under the Access to Information Act show the department scrambling to gather information about the bug on the night it forced a shutdown of the Canada Revenue Agency’s online tax filing website, a move that came at the height of tax season.

Heartbleed is a vulnerability in the popular OpenSSL security encryption software that gave hackers who were aware of it access to sensitive personal and financial information and allowed them to steal information that’s supposed to be protected.

A patch is available to fix this weakness. Without it, the bug can pose a threat to the security and privacy of web traffic, email and instant messaging.

1st questions asked on April 8

CBC News requested emails related to Heartbleed from a number of federal government departments and agencies, for a time frame beginning on April 1. While the Ministry of Public Safety responded, the Communications Security Establishment Canada has asked for an additional 250 days to comply with the request, and the Canada Revenue Agency has asked for an extension of up to 540 days.

Internal emails from Public Safety acknowledge the Heartbleed bug was “publicly disclosed” on April 7, a full day before the Canada Revenue Agency shut down its website.

Correspondence among senior officials began to circulate just after 9 p.m. on the evening of Tuesday, April 8, the night the revenue agency locked down its online operations.

One of the first messages had the subject line: “Urgent Request from the Minister’s Office."

“The MO understands that CCIRC [Canadian Cyber Incident Response Centre] has put out a warning re: CRA E-File, something to do with “Heartbleed bug” – a software flaw that leaves secure websites open to hacking. Can you please confirm/provide any info or explanation asap.”

The Canadian Cyber Incident Response Centre​ had issued a warning about Heartbleed that day. The warning is referred to in subsequent emails within Public Safety that went on late into the evening. Still, there was confusion.

“CRA is reporting up that PS [Public Safety] officials are advising them to close down E-file. Any accuracy to that?” one email asked.

CRA shut down E-file after Shared Services warning

A later message informed officials Public Safety had not advised the revenue agency to shut down its systems but rather that the agency was acting on a warning sent out by Shared Services Canada, the department responsible for federal government computer networks. That same email noted the revenue agency also acted in accordance with its own policy “re protecting confidentiality of clients.”

Heartbleed is a hole in the OpenSSL security encryption software which is used by an estimated two-thirds of sites on the web. Its existence was first widely revealed on April 7.
By the next day, Wednesday, April 9, news of Heartbleed had spread. Computer security experts were warning of a serious threat to private information. Revenue Minister Kerry-Lynne Findlay, meanwhile, was assuring Canadians her department was acting out of an abundance of caution by shutting down its website.

“CRA has shut down E-File, Netfile, My Account, My Business Account in order to investigate,” Findlay said.

On the same day the minister was trying to quell public concern over Heartbleed, communications officers from several government departments were working out a strategy to deal with questions about the bug.

An email sent that day by Andrew Swift, director of public affairs at Public Safety Canada, lays out a road map.

Public safety computers unaffected

“PS [Public Safety] Communications chaired a conference call with communications partners from CRA, SSC, CSE, DND, TBS, IC, CSIS, RCMP and PCO this morning to discuss the “Heartbleed” cyber vulnerability being widely reported in the media today.”

Swift writes that the “media relations protocol, supported by PCO,” will be divided among three departments: the Canada Revenue Agency, Shared Services Canada and Public Safety, with each handling questions about various efforts to counter the Heartbleed bug.

Emails circulated within Public Safety over subsequent days show the department was able to determine that its own computers as well as those of Correctional Services Canada, the RCMP and the National Parole Board were unaffected by Heartbleed. One message refers to “lots of meetings” at which the computer bug was presumably discussed.

Public Safety Canada wouldn't comment on the emails or specifically on when they first received word of Heartbleed.

A spokeswoman with the department said the Canadian Cyber Incident Response Centre has been co-ordinating the national response and "sharing cyber threat and mitigation information related to Heartbleed."

SINs of 900 Canadians stolen

The Canada Revenue Agency site remained closed until Sunday, April 13. On Monday, April 14, the agency announced the social insurance numbers of 900 Canadians had been stolen. Over the course of the day, however, it emerged the agency was aware of the breach on the Friday before its announcement, raising questions about why it delayed going public.

The RCMP eventually came forward with an explanation, saying police had asked the revenue agency to keep quiet about the breach while officers tracked down a possible hacker. Emails between Public Safety and the Mounties dated Tuesday, April 15, show how the RCMP informed the department of its plan to release a statement “to clarify the situation surrounding the CRA vs the Heartbleed bug.”

The following day, the Mounties announced they had charged Stephen Arturo Solis-Reyes, a 19-year-old university student from London, Ont., with breaching the revenue agency website. He is set to appear in court next month.

Last month, Canada’s then interim privacy commissioner Chantal Bernier told a House of Commons committee the revenue agency was the only government agency to contact her office about a breach brought on by Heartbleed.

The bug, she said, had exposed the vulnerability of the internet. But she added she had no intention of investigating any further, declaring the Heartbleed case closed, at least for now.